Snort mailing list archives
FTP command overflow attempt help
From: Tyler Owen <t.l.owen () larc nasa gov>
Date: 11 Dec 2002 12:13:53 -0500
We are receiving a very large number of alerts triggering the "FTP command overflow attempt" alerts. These alerts are coming from two address ranges in Italy. Well that is not really odd by itself but what I am really confused on is the traffic. (see below for snippet) They are logging into the machine via Anonymous FTP using a password of ics () ipsilon zeta and then issuing the PORT command 5 times per packet. And it appears to be random how many times that they do issue the command. The source IPs change but are always from either 213.140.0.0/16 or 213.156.0.0/16 I am at a loss for what is going on. In researching valid traffic I never saw two PORT commands back to back, so is this an attempted DOS or what?? Any info would be very helpful!! I am sorry if this is not the correct avenue for this but I wasn't sure where to seek help. Thanks, Tyler <DEMARC ALERT SUMMARY> 2002-12-11 04:48:15 SID:3 CID:518383 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 __________________________________________________________________ 2002-12-11 04:48:07 SID:3 CID:518380 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 __________________________________________________________________ 2002-12-11 04:47:59 SID:3 CID:518379 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 __________________________________________________________________ 2002-12-11 04:47:51 SID:3 CID:518377 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 </DEMARC ALERT SUMMARY> <ASCII traffic decode> 220 techreports.larc.nasa.gov FTP server ready. USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS ics () ipsilon zeta 230 Guest login ok, access restrictions apply. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,193,253 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,24,243 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. </ASCII traffic decode> ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP command overflow attempt help Tyler Owen (Dec 11)
- <Possible follow-ups>
- RE: FTP command overflow attempt help Hicks, John (Dec 11)