Security Incidents mailing list archives

Re: Strange FTP traffic...

From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Fri, 29 Sep 2000 09:36:24 -0400

Hi Sean,
        Chances are it's exactly as you said, a scan to check for a world
writable incoming dir.  We see these hack attempts all the time on our
various FTP servers, and generally isn't a problem... unless you have a
world writable incoming dir. =)  While I've never seen these exact commands
being thrown at the FTP server, chances are the SK is using some kind of
script that randomizes the file and directory names it's trying to create.
Seen plenty of that.  Check other FTP servers in on your subnet for the same
type of hack, and if there are any, see if there is any pattern to the file
and dir names being created (or attempting to be created).

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/

-----Original Message-----
From: Sean Sosik-Hamor [mailto:ssh () SHN NU]
Sent: Thursday, September 28, 2000 3:34 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Strange FTP traffic...

I had some strange FTP traffic a week or two ago and I'm just now
getting around to remember to post it.  ;)  Is anyone familiar with
this scan?  Just looks like a check for a world writable incoming.  I
need to clear out the WaReZ puppies and VCD couriers every once in a
while on this server, is this how they're finding me?

Sep 18 22:38:39 wind ftpd[19573]: mkdir incoming/. 36122218p
Sep 18 22:39:05 wind ftpd[8498]: mkdir incoming/. 1122218p
Sep 18 22:40:40 wind ftpd[14735]: mkdir incoming/.MaD/
Sep 23 02:46:04 wind ftpd[31482]: mkdir incoming/. MaD
Sep 25 11:14:08 wind ftpd[4647]: mkdir incoming/.000925171453p
Sep 25 11:14:08 wind ftpd[4647]: rmdir incoming/.000925171453p
Sep 25 11:14:08 wind ftpd[8516]: mkdir incoming/.000925171454p
Sep 25 11:14:09 wind ftpd[8516]: rmdir incoming/.000925171454p

There are no other strange log entries...

--

. / s t a n l e y / l o o k e d / q u i t e / b o r e d / a n d / s o
m e w h a t / d e t a c h e d , b u t / t h e n / p e n g u i n s / o
f t e n / d o / . ssh () shn nu . / / . http://projects.shn.nu/sean/ . /

Current thread:

Strange FTP traffic... Sean Sosik-Hamor (Sep 28)
- Re: Strange FTP traffic... Helmut Springer (Sep 29)
- <Possible follow-ups>
- Re: Strange FTP traffic... Abe Getchell (Sep 29)