PaulDotCom mailing list archives
Odd FTP traffic
From: mike at snowcrash.ca (Mike Patterson)
Date: Tue, 25 May 2010 11:10:20 -0400
On 2010/05/25 8:43 AM, Butturini, Russell wrote:
Curious if anyone else on the list has seen this. For the last two days, I am seeing some bizarre looking buffer overflow attempts against one of my FTP servers from an IP in Vietnam. The IPS is catching them as they're triggering the FTP PASS Suspicious Length signature. They don't appear to be happening on regular intervals, which makes me doubt automation, but I'm curious if it's some kind of new zero day that's floating around. If it is automated, this isn't the type of thing I've ever seen bots try before. I've pasted a snippet of the IPS event below where the password is being sent. Anybody else seen this? a: 0000 61 74 6f 72 0d 0a 50 41 53 53 20 31 71 61 32 77 ator..PASS 1qa2w Data: 0010 73 33 65 64 34 72 66 35 74 67 36 79 68 37 75 6a s3ed4rf5tg6yh7uj Data: 0020 38 69 6b 31 71 61 32 77 73 33 65 64 34 72 66 35 8ik1qa2ws3ed4rf5 Data: 0030 74 67 36 79 68 37 75 6a 38 69 6b 0d 0a tg6yh7uj8ik..
You may have noticed this, but that password is just sequential characters from a US English keyboard layout - 1, then drop down to qa, then 2, drop down to ws, etc. I know plenty of people who use sequences like that for default passwords, although to be sure, they don't tend to go up as high as 8ik. :-) Maybe it's just somebody trying for default passwords. Mike
Current thread:
- Odd FTP traffic Butturini, Russell (May 25)
- Odd FTP traffic Mike Patterson (May 25)
- Odd FTP traffic Butturini, Russell (May 25)
- Odd FTP traffic Mike Patterson (May 25)