|
Security Incidents
mailing list archives
Re: big increase in ftp scanning
From: Greg Owen <gowen () SOFTLOCK COM>
Date: Tue, 31 Oct 2000 15:58:55 -0500
All appear to simply be traversing the tree and looking
for writable directories, rather than probing for compromise.
Pardon, I found one more thing in the logs. They are apparently
also issuing an invalid PORT command (trying to bounce off my server?) I
assume it is hardwired into the script because two different hosts tried the
same PORT command, as follows:
Oct 29 06:27:40 ftphost ftpd[4277]: ftphost
(cs28122-195.houston.rr.com[24.28.122.195]) - Refused PORT 216,25,117,6,1,21
(address mismatch).
Oct 29 12:07:13 ftphost ftpd[4360]: ftphost
(202.107.222.172[202.107.222.172]) - Refused PORT 216,25,117,6,1,21 (address
mismatch).
216.25.117.6 doesn't have a PTR record.
Do I recall this correctly, that the PORT command abused this way
would allow the attacker to bounce communications off of my host as a relay
to a 3rd party host?
--
gowen -- Greg Owen -- gowen () SoftLock com
 By Date 
By Thread
Current thread:
Re: big increase in ftp scanning Greg Owen (Nov 02)
Re: big increase in ftp scanning Dante Mercurio (Nov 05)
Re: big increase in ftp scanning Jason Potopa (Nov 14)
|
Intro
