Security Incidents mailing list archives
Re: big increase in ftp scanning
From: Greg Owen <gowen () SOFTLOCK COM>
Date: Tue, 31 Oct 2000 15:58:55 -0500
All appear to simply be traversing the tree and looking for writable directories, rather than probing for compromise.
Pardon, I found one more thing in the logs. They are apparently also issuing an invalid PORT command (trying to bounce off my server?) I assume it is hardwired into the script because two different hosts tried the same PORT command, as follows: Oct 29 06:27:40 ftphost ftpd[4277]: ftphost (cs28122-195.houston.rr.com[24.28.122.195]) - Refused PORT 216,25,117,6,1,21 (address mismatch). Oct 29 12:07:13 ftphost ftpd[4360]: ftphost (202.107.222.172[202.107.222.172]) - Refused PORT 216,25,117,6,1,21 (address mismatch). 216.25.117.6 doesn't have a PTR record. Do I recall this correctly, that the PORT command abused this way would allow the attacker to bounce communications off of my host as a relay to a 3rd party host? -- gowen -- Greg Owen -- gowen () SoftLock com
Current thread:
- Re: big increase in ftp scanning, (continued)
- Re: big increase in ftp scanning Daniel Roesen (Nov 08)
- Re: big increase in ftp scanning Tuc (Nov 08)
- Re: big increase in ftp scanning Keith Owens (Nov 09)
- Re: big increase in ftp scanning Jan Muenther (Nov 11)
- Re: big increase in ftp scanning Russell Fulton (Nov 13)
- Re: big increase in ftp scanning Andreas Ferber (Nov 14)
- Re: big increase in ftp scanning Jan Muenther (Nov 14)
- Re: big increase in ftp scanning Florian Weimer (Nov 15)
- Re: big increase in ftp scanning Daniel Roesen (Nov 08)
- Re: big increase in ftp scanning Dirk Meyer (Nov 11)
- Re: big increase in ftp scanning Stefan Tomlik (Nov 13)