RE: wu-ftpd attack ???
From: Aaron Lewis (jim@jsw4.net)
Date: 11/26/02
- Previous message: Ryan Yagatich: "Re: Help - a possible bot"
- In reply to: Aaron Lewis: "RE: wu-ftpd attack ???"
- Next in thread: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Aaron Lewis" <jim@jsw4.net> To: <jim@jsw4.net>, "'OTERO Hernan Gustavo EDS'" <bazhgo@techint.net>, <fygrave@tigerteam.net> Date: Tue, 26 Nov 2002 15:22:42 -0500
Apologies, After some trial and error, the current syntax being used to
collect traffic is
tcpdump -nvvX -s 1500 -w /var/log/ftpdump 'port 20 or 21' &
I'll supply the results after the next attack of substantial event. For
everyone who's interested please provide me with a valid e-mail and I'll
communicate directly as I do not wish to post explicit data to the list.
-----Original Message-----
From: Aaron Lewis [mailto:jim@jsw4.net]
Sent: Tuesday, November 26, 2002 9:19 AM
To: 'OTERO Hernan Gustavo EDS'; fygrave@tigerteam.net
Cc: incidents@securityfocus.com; da@securityfocus.com
Subject: RE: wu-ftpd attack ???
Ok. In efforts to find out what went on here, I have taken down some of the
security features recently implemented and restarted tcpdump with
tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &
I have copied this to the people who have asked for more information. I'd
rather deal with a few individuals directly than splatter this all over the
list. As soon as I have another incident I will post the dump results
Thanks
-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net]
Sent: Tuesday, November 26, 2002 7:04 AM
To: 'aaron@jsw4.net'
Subject: wu-ftpd attack ???
Could you sendme the tcpdump ( and the command that you run to make the dump
ie, tcpdump -nvv -s 1500 -w blablabla or any other )?
Thanks,
Hernán Otero
Information Security Analyst
>I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
2.4.18-18.7.x >is
>getting broken by some specific type of scan (I think). When this happens,
wu-ftpd just stops
>responding to connection requests but port 21 is still listening according
to netstat
>-anl. I restart xinetd and all is well.
>Now, what I have managed to catch in the logs, just before the server
stops, are several >connections
>(or a scan) from a specific IP address to multiple virt hosts on my server.
There
>is NO annon ftp and there are NO shell accounts. If someone is interested
in the tcp dump
>for the FTP traffic during this, let me know. Other than that there is
nothing suspicious
>in the logs.
>Can someone tell me what might be going on please...
>Aaron Lewis
>JSW4.NET
>aaron@jsw4.net
>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Toby Felgenner: "Re: Proxy server hit... Any ideas?"
- Previous message: Ryan Yagatich: "Re: Help - a possible bot"
- In reply to: Aaron Lewis: "RE: wu-ftpd attack ???"
- Next in thread: Rodrigo Barbosa: "Re: wu-ftpd attack ???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
