RE: wu-ftpd attack ???

From: Aaron Lewis (jim@jsw4.net)
Date: 11/26/02

Next message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"

Previous message: jrlpop@mail.portland.co.uk: "Re: SMTP harrasment by nie2.infomail.es?"
Maybe in reply to: Aaron D. Lewis: "wu-ftpd attack ???"
Next in thread: Aaron Lewis: "RE: wu-ftpd attack ???"
Reply: Aaron Lewis: "RE: wu-ftpd attack ???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Aaron Lewis" <jim@jsw4.net>
To: "'OTERO Hernan Gustavo       EDS'" <bazhgo@techint.net>, <fygrave@tigerteam.net>
Date: Tue, 26 Nov 2002 09:18:40 -0500

Ok. In efforts to find out what went on here, I have taken down some of the
security features recently implemented and restarted tcpdump with
tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &

I have copied this to the people who have asked for more information. I'd
rather deal with a few individuals directly than splatter this all over the
list. As soon as I have another incident I will post the dump results

Thanks

-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Tuesday, November 26, 2002 7:04 AM
To: 'aaron@jsw4.net'
Subject: wu-ftpd attack ???

Could you sendme the tcpdump ( and the command that you run to make the dump
ie, tcpdump -nvv -s 1500 -w blablabla or any other )?

Thanks,
Hernán Otero
Information Security Analyst

>I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
2.4.18-18.7.x >is
>getting broken by some specific type of scan (I think). When this happens,
wu-ftpd just stops
>responding to connection requests but port 21 is still listening according
to netstat

>-anl. I restart xinetd and all is well.

>Now, what I have managed to catch in the logs, just before the server
stops, are several >connections
>(or a scan) from a specific IP address to multiple virt hosts on my server.
There
>is NO annon ftp and there are NO shell accounts. If someone is interested
in the tcp dump
>for the FTP traffic during this, let me know. Other than that there is
nothing suspicious
>in the logs.

>Can someone tell me what might be going on please...

>Aaron Lewis
>JSW4.NET
>aaron@jsw4.net

>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
Previous message: jrlpop@mail.portland.co.uk: "Re: SMTP harrasment by nie2.infomail.es?"
Maybe in reply to: Aaron D. Lewis: "wu-ftpd attack ???"
Next in thread: Aaron Lewis: "RE: wu-ftpd attack ???"
Reply: Aaron Lewis: "RE: wu-ftpd attack ???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]