Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: big increase in ftp scanning

Re: big increase in ftp scanning

From: Dante Mercurio <Dante_at_WEBCTI.COM>
Date: Wed, 1 Nov 2000 13:26:30 -0500

A recent firewall install pointed out that a customer had been breached FTP
on IIS. The person who had installed the NT server had installed IIS 4.0
wide open no patches, and their Internet connection had a static IP map on
their router through NAT to this server (Ugggg!). So much for them believing
NAT is an end-all to security. Not sure what exploit they used to gain
access.

The IP's networks listed below match some of the IP's that ended up getting
blocked by the firewall. They set up shop on their server, and were hosting
.MP3 files from it. Looks like the infiltration happened about 10/16 based
on file creation dates and was just found this Monday when we installed a
firewall for them. There must have been a link somewhere to this server,
because it later received some attempts from AOL dial up accounts, and
cornell.edu accounts, and continues to receive blocked FTP attempts two days
later.

M. Dante Mercurio, CCNA, MCSE+I, TNSP
Consulting Services Manager
Continental Consulting Group, LLC
www.ccgsecurity.com <http://www.ccgsecurity.com>
dmercurio_at_ccgsecurity.com <mailto:dmercurio_at_ccgsecurity.com>

> -----Original Message-----
> From: Ian Eure [mailto:ieure_at_SICKFUCK.ORG]
> Sent: Sunday, October 29, 2000 6:59 PM
> To: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: big increase in ftp scanning
>
>
> i've seen a ton of ftp scans in the last week.
>
> they have come from:
>
> 62.226.217.222 (p3EE2D9DE.dip.t-dialin.net)
> 64.209.232.25 (isengard.iad4.gctr.net)
> 62.20.37.140 (basecamp.gotland.se)
> 24.28.122.195 (cs28122-195.houston.rr.com)
> 24.162.74.203 (cs16274-203.austin.rr.com)
>
> all this has been in the last week. i run wu-ftpd 2.6.0, with
> a backport
> of the fix from 2.6.1. high risk, but there's no anonymous
> account, and no
> untrusted users have access to ftp.
>
> somewhat OT, can someone recommend a more secure ftpd? it seems like
> almost all of the ftp daemons had (have?) bad security problems.
>
> --
> ______________________________________________
> | "the whole scale of cosmic dimensions are falling from my mouth
> | in the description of a kiss of the interimlovers"
> | - einsturzende neubaten, "interim"
>
Received on Nov 05 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos