Security Incidents mailing list archives

Re: big increase in ftp scanning

From: Dante Mercurio <Dante () WEBCTI COM>
Date: Wed, 1 Nov 2000 13:26:30 -0500

A recent firewall install pointed out that a customer had been breached FTP
on IIS. The person who had installed the NT server had installed IIS 4.0
wide open no patches, and their Internet connection had a static IP map on
their router through NAT to this server (Ugggg!). So much for them believing
NAT is an end-all to security. Not sure what exploit they used to gain
access.

The IP's networks listed below match some of the IP's that ended up getting
blocked by the firewall. They set up shop on their server, and were hosting
.MP3 files from it. Looks like the infiltration happened about 10/16 based
on file creation dates and was just found this Monday when we installed a
firewall for them. There must have been a link somewhere to this server,
because it later received some attempts from AOL dial up accounts, and
cornell.edu accounts, and continues to receive blocked FTP attempts two days
later.

M. Dante Mercurio, CCNA, MCSE+I, TNSP
Consulting Services Manager
Continental Consulting Group, LLC
www.ccgsecurity.com <http://www.ccgsecurity.com>
dmercurio () ccgsecurity com <mailto:dmercurio () ccgsecurity com>

-----Original Message-----
From: Ian Eure [mailto:ieure () SICKFUCK ORG]
Sent: Sunday, October 29, 2000 6:59 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: big increase in ftp scanning

i've seen a ton of ftp scans in the last week.

they have come from:

62.226.217.222 (p3EE2D9DE.dip.t-dialin.net)
64.209.232.25 (isengard.iad4.gctr.net)
62.20.37.140 (basecamp.gotland.se)
24.28.122.195 (cs28122-195.houston.rr.com)
24.162.74.203 (cs16274-203.austin.rr.com)

all this has been in the last week. i run wu-ftpd 2.6.0, with
a backport
of the fix from 2.6.1. high risk, but there's no anonymous
account, and no
untrusted users have access to ftp.

somewhat OT, can someone recommend a more secure ftpd? it seems like
almost all of the ftp daemons had (have?) bad security problems.

--
 ______________________________________________
| "the whole scale of cosmic dimensions are falling from my mouth
| in the description of a kiss of the interimlovers"
|   - einsturzende neubaten, "interim"

Current thread:

Re: big increase in ftp scanning, (continued)
- - - Re: big increase in ftp scanning Tuc (Nov 08)
    - Re: big increase in ftp scanning Keith Owens (Nov 09)
    - Re: big increase in ftp scanning Jan Muenther (Nov 11)
    - Re: big increase in ftp scanning Russell Fulton (Nov 13)
    - Re: big increase in ftp scanning Andreas Ferber (Nov 14)
    - Re: big increase in ftp scanning Jan Muenther (Nov 14)
    - Re: big increase in ftp scanning Florian Weimer (Nov 15)
    - Re: big increase in ftp scanning Dirk Meyer (Nov 11)
    - Re: big increase in ftp scanning Stefan Tomlik (Nov 13)
- Re: big increase in ftp scanning Greg Owen (Nov 02)
- Re: big increase in ftp scanning Dante Mercurio (Nov 05)
- Re: big increase in ftp scanning Jason Potopa (Nov 14)