Firewall Wizards mailing list archives

Re: What kind of ftp attack is this?

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Thu, 25 Mar 1999 16:32:44 -0500

Mar 24 13:51:34 strip ftpd[2699]: refused PORT 0,1328 from 193.226.92.xxx
Mar 24 13:51:49 strip ftpd[2703]: refused PORT 0,1331 from 193.226.92.xxx


Looks like someone using FTP bouncing to do a port scan.
This is why having FTP servers behind firewalls is a Bad Thing.
See
http://www.clark.net/pub/mjr/pubs/attck/sld052.htm
for a sketchy overview of FTP bouncing. You can extrapolate
bouncing to do all kind of stuff like scanning, denial of
service, etc.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

What kind of ftp attack is this? sedwards (Mar 25)
- Re: What kind of ftp attack is this? Bret McDanel (Mar 25)
  - Re: What kind of ftp attack is this? Marcus J. Ranum (Mar 25)