Re: wu-ftpd attack ???

From: Rodrigo Barbosa (rodrigob@tisbrasil.com.br)
Date: 11/26/02

  • Next message: M. den Braber: "RE: wu-ftpd attack???" 
    Date: Tue, 26 Nov 2002 11:52:51 -0200
From: Rodrigo Barbosa <rodrigob@tisbrasil.com.br>
To: "Aaron D. Lewis" <aaron@jsw4.net>

    On Mon, Nov 25, 2002 at 12:06:10PM -0500, Aaron D. Lewis wrote:
    > I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2 2.4.18-18.7.x is getting broken by some specific type of scan (I think). When this happens, wu-ftpd just stops responding to connection requests but port 21 is still listening according to netstat -anl. I restart xinetd and all is well.
    >
    > Now, what I have managed to catch in the logs, just before the server stops, are several connections (or a scan) from a specific IP address to multiple virt hosts on my server. There is NO annon ftp and there are NO shell accounts. If someone is interested in the tcp dump for the FTP traffic during this, let me know. Other than that there is nothing suspicious in the logs.
    >
    > Can someone tell me what might be going on please...

    Well, I can't tell you what is happening, but I can tell you what is not.

    As you describe above, wu-ftpd is at no fault. Looks like this is a
    problems on xinetd.

    Are you sure you are not hitting the max_load control ? It do make
    xinetd to stop accepting connections.

    []s 

    -- 
 Rodrigo Barbosa                   - rodrigob at tisbrasil.com.br
 TIS 				   - Belo Horizonte, MG, Brazil
 "Quis custodiet ipsos custodes?"  - http://www.tisbrasil.com.br/
 Brainbench Certified -> Transcript ID #3332104
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com