Odd FTP traffic

[mike at snowcrash.ca (Mike Patterson)]

On 2010/05/25 8:43 AM, Butturini, Russell wrote:
> Curious if anyone else on the list has seen this.  For the last two days, I am seeing some bizarre looking buffer 
> overflow attempts against one of my FTP servers from an IP in Vietnam.  The IPS is catching them as they're 
> triggering the FTP PASS Suspicious Length signature.  They don't appear to be happening on regular intervals, which 
> makes me doubt automation, but I'm curious if it's some kind of new zero day that's floating around.  If it is 
> automated, this isn't the type of thing I've ever seen bots try before.  I've pasted a snippet of the IPS event below 
> where the password is being sent.  Anybody else seen this?
>
> a: 0000  61 74 6f 72 0d 0a 50 41  53 53 20 31 71 61 32 77  ator..PASS 1qa2w
> Data: 0010  73 33 65 64 34 72 66 35  74 67 36 79 68 37 75 6a  s3ed4rf5tg6yh7uj
> Data: 0020  38 69 6b 31 71 61 32 77  73 33 65 64 34 72 66 35  8ik1qa2ws3ed4rf5
> Data: 0030  74 67 36 79 68 37 75 6a  38 69 6b 0d 0a           tg6yh7uj8ik..

You may have noticed this, but that password is just sequential
characters from a US English keyboard layout - 1, then drop down to qa,
then 2, drop down to ws, etc.  I know plenty of people who use sequences
like that for default passwords, although to be sure, they don't tend to
go up as high as 8ik.  :-)

Maybe it's just somebody trying for default passwords.

Mike