Security Incidents mailing list archives
Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 6 Jul 2000 10:27:13 -0700
From: Michael M Brockman <mikey () brockman org> Reply-To: mikey () brockman org To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Date: Wed, 5 Jul 2000 21:26:11 -0700 On Mon, 03 Jul 2000, you wrote:
-----BEGIN PGP SIGNED MESSAGE-----
As a member of the System Administration group of a large cable network provider in the Netherlands I can state that there /has/ been an increase in FTP scans. Just as there was a noticeble increase in scans on port 21 when wuftpd 2.5.0 was shown vulnerable.
I provide security services to several companies. In the past two weeks - I have
seen several scans that look like this in the logs ..... Machine name and IP
have been changed to protect the innocent .....
Jun 30 20:01:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=9704 F=0x4000 T=52 SYN
Jun 30 20:03:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=9977 F=0x4000 T=52 SYN
Jun 30 20:05:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=10220 F=0x4000 T=52 SYN
Jun 30 20:07:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=10482 F=0x4000 T=52 SYN
Jun 30 20:09:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=10739 F=0x4000 T=52 SYN
Jun 30 20:11:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=11380 F=0x4000 T=52 SYN
Note the spacing of the timestamp and the number of attempts. I have seen this
across several non-related IP addresses .... And have also have logs showing
this type of scan on several different machines - some originating from the same
source IP.
Moderator may want to cross post this ....
Michael M Brockman
Current thread:
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Elias Levy (Jul 06)
- <Possible follow-ups>
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Elias Levy (Jul 06)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Elias Levy (Jul 06)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Valdis Kletnieks (Jul 06)