Full Disclosure mailing list archives
RE: Re: repeated port 21 attempts
From: Jacob Wu <Wu () AUX UWM EDU>
Date: Tue, 13 Jun 2006 13:26:20 -0500
I have received the suggestion that these attempts to connect to our ftp server are actually attempts to connect to some anti-virus ftp server for updates. This is quite probable given that: 1.) When our client has a 10.x.x.x address all dns requests resolve to the IP number of my server. 2.) After they register and have a "real" IP we switch them to a real DNS server. It is also possible that it could be a bot "calling home", but when we have brought the computers down to our office and scanned them ourselves we can't find anything on them. I'm going to call this one done since the "attacks" seem to go away once we give them a "real" IP. Thanks to all. -----Original Message----- From: Andrew Farmer [mailto:andfarm () gmail com] Sent: Tuesday, June 13, 2006 12:49 PM To: Jacob Wu Cc: full-disclosure () lists grok org uk Subject: Re: Re: [Full-disclosure] repeated port 21 attempts On 6/13/06, Jacob Wu <Wu () aux uwm edu> wrote:
They are all non routable 10.x.x.x IPs. This is for a residence hall at
my
University. Residents, when they first turn on their computers, are given
a
10.x.x.x IP and made to register and agree with the network use policy. Once they do that they are given a "real" IP and thus access to the internet.
Are you doing something weird with DNS that's making this one machine's address to show up on lookups, or messing with routing so that everything gets redirected to this box? If so, I'd wonder if this is some sort of bot that you're seeing that's trying to "call home" with FTP. It might behoove you to (kindly) ask the owner of one of the machines to let you take a look at their machine to see what it's doing.
Someone sent me this link:Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04But it gives me less information than iptables does.
You may have to modify it to better imitate an FTP server - it was written for use as a faux HTTP server. In particular, the client may be waiting for a banner and/or greeting before it makes a request. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- repeated port 21 attempts Jacob Wu (Jun 12)
- Re: repeated port 21 attempts Rodrigo Barbosa (Jun 12)
- Re: repeated port 21 attempts Matt Venzke (Jun 12)
- Re: repeated port 21 attempts pwnd . security . pwnd (Jun 13)
- RE: repeated port 21 attempts Ken Dunham (Jun 13)
- Re: repeated port 21 attempts Andrew Farmer (Jun 14)
- RE: repeated port 21 attempts Ken Dunham (Jun 13)
- <Possible follow-ups>
- Re: Re: repeated port 21 attempts Jacob Wu (Jun 13)
- Re: Re: repeated port 21 attempts Andrew Farmer (Jun 13)
- RE: Re: repeated port 21 attempts Jacob Wu (Jun 13)
- Re: repeated port 21 attempts Cardoso (Jun 13)