Firewall Wizards mailing list archives
Re: What kind of ftp attack is this?
From: Bret McDanel <bret () rehost com>
Date: Thu, 25 Mar 1999 15:28:06 -0500
---Reply on mail from sedwards () sedwards com about What kind of ftp attack is this?
The following is an extract from a Solaris 2.5 (SunOS 5.5.1) box running ftpd wu-2.4.2-academ[BETA-13](1). The IP address appears to be a host in Romainia. Is this a "well known signature" of a port scanning attack or ???Mar 24 13:51:34 strip ftpd[2699]: refused PORT 0,1328 from 193.226.92.xxx Mar 24 13:51:49 strip ftpd[2703]: refused PORT 0,1331 from 193.226.92.xxx
Unless I miss my guess it may just be a poorly configured client that doesnt know that the IP is of the person that is trying to connect to you, and its saying that its IP is 0 when they goto get the file.. The PORT command takes arguements that are the IP (comma seperated) and port (which is 2 bytes, comma seperated).. I tried to get the same log message to appear, but it required that I put in 0,0,0,0,port,port for the IP and didnt understand it otherwise but I am not running that version of wu-ftpd which has KNOWN PUBLISHED vunerabilities.. I would suggest that you upgrade to something else.. Cert has a advisory on that.. http://www.cert.org/ -- Bret McDanel http://www.rehost.com Realistic Technologies, Inc. 973-514-1144 These opinions are mine, and may not be the same as my employer
Current thread:
- What kind of ftp attack is this? sedwards (Mar 25)
- Re: What kind of ftp attack is this? Bret McDanel (Mar 25)
- Re: What kind of ftp attack is this? Marcus J. Ranum (Mar 25)
- Re: What kind of ftp attack is this? Bret McDanel (Mar 25)