Security Incidents mailing list archives
RE: wu-ftpd attack???
From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Wed, 27 Nov 2002 11:42:17 +0100
I get loads of similar connections every day. I suppose it's some (very simple) automated tool to check various servers if they accept anonymous connections (probably used by warez kids who then upload their warez into server and use it as distribution site). In your case, connections from remote client are too excessive - maybe automated tool isn't properly configured. Default setting in tcp wrappers (which you obviously use to start proftpd) allows maximum of 40 spawned sessions of one service in 60 seconds. In your case, it goes over this maximum number, so inetd terminates proftpd service. If you don't use anonymous ftp (and you said you don't), you can put some restrictions on allowed IPs which connect to your ftp server (of course, if that's possible). In other case, you can put higher value on allowed maximum number of spawned connections in /etc/inetd.conf file. Just find line with proftpd, it should look like: ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd and change nowait parameter to something like nowait.400 This will allow 400 spawned connections in 60 seconds. Best regards, Bojan Zdrnja
-----Original Message----- From: M. den Braber [mailto:maurice () office igr nl] Sent: 26. studeni 2002 10:05 To: incidents () securityfocus com Subject: RE: wu-ftpd attack??? I just posted this in focus-linux a minute ago, looks the same:Hi guys, I'm fairly new to the lists so i hope i'm dropping it in the right one. ;-) Anyway, In my network there is a cobalt raq4 that is hosting several sites and today i noticed that in the last couple of days the number of connections shot through the roof. (Compared to usual ;) ) When i take a look at the logs i noticed that someone is trying to login using an anonymous ftp account, which is, off course disabled. [log] Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: wu-ftpd attack??? M. den Braber (Nov 27)
- RE: wu-ftpd attack??? Bojan Zdrnja (Nov 27)