Security Incidents mailing list archives

Re: big increase in ftp scanning

From: Greg Owen <gowen () SOFTLOCK COM>
Date: Tue, 31 Oct 2000 15:58:55 -0500

      All appear to simply be traversing the tree and looking
for writable directories, rather than probing for compromise.


        Pardon, I found one more thing in the logs.  They are apparently
also issuing an invalid PORT command (trying to bounce off my server?)  I
assume it is hardwired into the script because two different hosts tried the
same PORT command, as follows:

Oct 29 06:27:40 ftphost ftpd[4277]: ftphost
(cs28122-195.houston.rr.com[24.28.122.195]) - Refused PORT 216,25,117,6,1,21
(address mismatch).
Oct 29 12:07:13 ftphost ftpd[4360]: ftphost
(202.107.222.172[202.107.222.172]) - Refused PORT 216,25,117,6,1,21 (address
mismatch).

        216.25.117.6 doesn't have a PTR record.

        Do I recall this correctly, that the PORT command abused this way
would allow the attacker to bounce communications off of my host as a relay
to a 3rd party host?

--
        gowen -- Greg Owen -- gowen () SoftLock com

Current thread:

Re: big increase in ftp scanning, (continued)
- - Re: big increase in ftp scanning Daniel Roesen (Nov 08)
    - Re: big increase in ftp scanning Tuc (Nov 08)
    - Re: big increase in ftp scanning Keith Owens (Nov 09)
    - Re: big increase in ftp scanning Jan Muenther (Nov 11)
    - Re: big increase in ftp scanning Russell Fulton (Nov 13)
    - Re: big increase in ftp scanning Andreas Ferber (Nov 14)
    - Re: big increase in ftp scanning Jan Muenther (Nov 14)
    - Re: big increase in ftp scanning Florian Weimer (Nov 15)
    - Re: big increase in ftp scanning Dirk Meyer (Nov 11)
    - Re: big increase in ftp scanning Stefan Tomlik (Nov 13)
- Re: big increase in ftp scanning Greg Owen (Nov 02)
- Re: big increase in ftp scanning Dante Mercurio (Nov 05)
- Re: big increase in ftp scanning Jason Potopa (Nov 14)