RE: wu-ftpd attack???
From: Bojan Zdrnja (Bojan.Zdrnja@FER.hr)
Date: 11/27/02
- Previous message: David: "Re: wu-ftpd attack ???"
- In reply to: M. den Braber: "RE: wu-ftpd attack???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bojan Zdrnja" <Bojan.Zdrnja@FER.hr> To: "'M. den Braber'" <maurice@office.igr.nl>, <incidents@securityfocus.com> Date: Wed, 27 Nov 2002 11:42:17 +0100
I get loads of similar connections every day. I suppose it's some (very
simple) automated tool to check various servers if they accept anonymous
connections (probably used by warez kids who then upload their warez into
server and use it as distribution site).
In your case, connections from remote client are too excessive - maybe
automated tool isn't properly configured.
Default setting in tcp wrappers (which you obviously use to start proftpd)
allows maximum of 40 spawned sessions of one service in 60 seconds. In your
case, it goes over this maximum number, so inetd terminates proftpd service.
If you don't use anonymous ftp (and you said you don't), you can put some
restrictions on allowed IPs which connect to your ftp server (of course, if
that's possible).
In other case, you can put higher value on allowed maximum number of spawned
connections in /etc/inetd.conf file.
Just find line with proftpd, it should look like:
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd
and change nowait parameter to something like nowait.400
This will allow 400 spawned connections in 60 seconds.
Best regards,
Bojan Zdrnja
> -----Original Message-----
> From: M. den Braber [mailto:maurice@office.igr.nl]
> Sent: 26. studeni 2002 10:05
> To: incidents@securityfocus.com
> Subject: RE: wu-ftpd attack???
>
>
> I just posted this in focus-linux a minute ago, looks the same:
>
> >Hi guys,
> >
> >I'm fairly new to the lists so i hope i'm dropping it
> >in the right one. ;-)
> >
> >Anyway,
> >
> >In my network there is a cobalt raq4 that is hosting several
> >sites and today i noticed that in the last couple of days the
> >number of connections shot through the roof. (Compared to usual ;) )
> >
> >When i take a look at the logs i noticed that someone
> >is trying to login using an anonymous ftp account, which is,
> >off course disabled.
> >
> >[log]
> >Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Randy Millis: "Bad protocol version identification '^V^C^A'"
- Previous message: David: "Re: wu-ftpd attack ???"
- In reply to: M. den Braber: "RE: wu-ftpd attack???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
