Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: big increase in ftp scanning

Re: big increase in ftp scanning

From: Greg Owen <gowen_at_SOFTLOCK.COM>
Date: Tue, 31 Oct 2000 15:58:55 -0500

> All appear to simply be traversing the tree and looking
> for writable directories, rather than probing for compromise.

        Pardon, I found one more thing in the logs. They are apparently
also issuing an invalid PORT command (trying to bounce off my server?) I
assume it is hardwired into the script because two different hosts tried the
same PORT command, as follows:

Oct 29 06:27:40 ftphost ftpd[4277]: ftphost
(cs28122-195.houston.rr.com[24.28.122.195]) - Refused PORT 216,25,117,6,1,21
(address mismatch).
Oct 29 12:07:13 ftphost ftpd[4360]: ftphost
(202.107.222.172[202.107.222.172]) - Refused PORT 216,25,117,6,1,21 (address
mismatch).

        216.25.117.6 doesn't have a PTR record.

        Do I recall this correctly, that the PORT command abused this way
would allow the attacker to bounce communications off of my host as a relay
to a 3rd party host? 

--
	gowen -- Greg Owen -- gowen_at_SoftLock.com
Received on Nov 02 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos