Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Strange FTP traffic...
From: Abe Getchell <agetchel () KDE STATE KY US>
Date: Fri, 29 Sep 2000 09:36:24 -0400
Hi Sean,
        Chances are it's exactly as you said, a scan to check for a world
writable incoming dir.  We see these hack attempts all the time on our
various FTP servers, and generally isn't a problem... unless you have a
world writable incoming dir. =)  While I've never seen these exact commands
being thrown at the FTP server, chances are the SK is using some kind of
script that randomizes the file and directory names it's trying to create.
Seen plenty of that.  Check other FTP servers in on your subnet for the same
type of hack, and if there are any, see if there is any pattern to the file
and dir names being created (or attempting to be created).

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/




-----Original Message-----
From: Sean Sosik-Hamor [mailto:ssh () SHN NU]
Sent: Thursday, September 28, 2000 3:34 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Strange FTP traffic...


I had some strange FTP traffic a week or two ago and I'm just now
getting around to remember to post it.  ;)  Is anyone familiar with
this scan?  Just looks like a check for a world writable incoming.  I
need to clear out the WaReZ puppies and VCD couriers every once in a
while on this server, is this how they're finding me?

Sep 18 22:38:39 wind ftpd[19573]: mkdir incoming/. 36122218p
Sep 18 22:39:05 wind ftpd[8498]: mkdir incoming/. 1122218p
Sep 18 22:40:40 wind ftpd[14735]: mkdir incoming/.MaD/
Sep 23 02:46:04 wind ftpd[31482]: mkdir incoming/. MaD
Sep 25 11:14:08 wind ftpd[4647]: mkdir incoming/.000925171453p
Sep 25 11:14:08 wind ftpd[4647]: rmdir incoming/.000925171453p
Sep 25 11:14:08 wind ftpd[8516]: mkdir incoming/.000925171454p
Sep 25 11:14:09 wind ftpd[8516]: rmdir incoming/.000925171454p

There are no other strange log entries...

--

. / s t a n l e y / l o o k e d / q u i t e / b o r e d / a n d / s o
m e w h a t / d e t a c h e d , b u t / t h e n / p e n g u i n s / o
f t e n / d o / . ssh () shn nu . / / . http://projects.shn.nu/sean/ . /

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]