Wu-ftpd 2.6.2

["Costas Karafasoulis" <karafas () mail ariadne-t gr>]

 I got a response from the wu-ftpd development teem. It seems that it
was a false alarm, so I  have attached an ascii log of the attack.

 A little  history of the compromised system:

  - At the beginning it was a default installation of R7.2 running
wu-ftpd 2.6.1
  - 15 days ago it was hacked through wu-ftpd 2.6.1 and the attacker
patched the system to wu-ftpd 2.6.2 
    (he had transferred his binary files for wu-ftpd 2.6.2, so I can not
be definitely sure that this is the original version)
  - After that,  several autorooters visited the system, checked the
version and left except this last attack which was quite persistent.
    In addition the attacker kept using his exploiting tool to enter the
system, besides the use  of his backdoors, Which gives
    an impression of testing the exploiting script

Wondering if this is an attack to previously rooted systems ..

Thanks,
Costas



----------------------------
Costas Karafasoulis
Internet Systematics Lab, 
Honeynet Project
NCSR Demokritos
http://www.honeynet.gr

Attachment: logs.zip
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com