Re: What kind of ftp attack is this?

[Bret McDanel <bret () rehost com>]

---Reply on mail from sedwards () sedwards com about What kind of ftp attack is this?

> The following is an extract from a Solaris 2.5 (SunOS 5.5.1) box running
> ftpd wu-2.4.2-academ[BETA-13](1).
>
> The IP address appears to be a host in Romainia.
>
> Is this a "well known signature" of a port scanning attack or ???
>
> > Mar 24 13:51:34 strip ftpd[2699]: refused PORT 0,1328 from 193.226.92.xxx
> > Mar 24 13:51:49 strip ftpd[2703]: refused PORT 0,1331 from 193.226.92.xxx


Unless I miss my guess it may just be a poorly configured client that
doesnt know that the IP is of the person that is trying to connect to you,
and its saying that its IP is 0 when they goto get the file..  

The PORT command takes arguements that are the IP (comma seperated) and
port (which is 2 bytes, comma seperated)..  I tried to get the same log
message to appear, but it required that I put in 0,0,0,0,port,port for the
IP and didnt understand it otherwise but I am not running that version of
wu-ftpd which has KNOWN PUBLISHED vunerabilities..  I would suggest that
you upgrade to something else..  Cert has a advisory on that..
http://www.cert.org/


-- 
Bret McDanel                                    http://www.rehost.com
Realistic Technologies, Inc.                             973-514-1144

     These opinions are mine, and may not be the same as my employer