Security Incidents mailing list archives

Re: Strange FTP traffic...

From: Erik Tayler <erik () 14X NET>
Date: Fri, 29 Sep 2000 10:39:01 -0500

Just looks like a check for a world writable incoming.  I
need to clear out the WaReZ puppies and VCD couriers every once in a
while on this server, is this how they're finding me?


They are probably looking for a world-writable incoming directory so
they can gain remote-root access to your server. Which ftp
server/version are you running? Notice any strange happenings on your
server? It is doubtful that people would make a directory such as
.000925171453p just to store their warez. I very well could be wrong,
have you found warez residing in those directories? I doubt you found
anything in

. / s t a n l e y / l o o k e d / q u i t e / b o r e d / a n d / s o
m e w h a t / d e t a c h e d , b u t / t h e n / p e n g u i n s / o
f t e n / d o / . ssh () shn nu . / / . http://projects.shn.nu/sean/ . /

Anyway, send more details about your server and such, you are probably
running ProFTPD or wu-ftpd, vulnerable or not, the kiddies don't know
the difference.

Erik Tayler
http://www.14x.net
http://www.digitaloffense.net

Current thread:

Re: Strange FTP traffic... Rik van Riel (Sep 30)
- Re: Strange FTP traffic... Pluto (Oct 10)
- <Possible follow-ups>
- Re: Strange FTP traffic... Erik Tayler (Sep 30)