Vulnerability Development: Re: PORT or PASV mode of IIS 4.0's FTP

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: PORT or PASV mode of IIS 4.0's FTP

From: Dug Song <dugsong () MONKEY ORG>
Date: Thu, 3 Aug 2000 01:38:18 -0400

On Wed, 2 Aug 2000, C. K. Lung wrote:

The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP
server, the connection is killed by FW-1 after it got 100 files.  The
fw-log shows that when the client's "source port" hit a "pre-defined
service (port) in the rulebase, the connection is dropped.  CP
explained that FW-1 thought that it was a security violation.


can you show us the log entry?  or better yet, a traffic trace of the
client up to the connection drop? sounds like a collision in FW-1's
connection state table.

i wonder whether it's really FW-1 doing the dropping, or the FTP server -
in the course of testing duke's funny technique to determine listening RPC
services on filtered ports, i ran into several FTP servers that would exit
after a certain number of consecutive PASV requests:

        http://www.monkey.org/~dugsong/ftp-rpc-probe.sh

just a guess,

-d.

---
http://www.monkey.org/~dugsong/

By Date By Thread

Current thread:

PORT or PASV mode of IIS 4.0's FTP C. K. Lung (Aug 02)
- Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 02)
  - Re: PORT or PASV mode of IIS 4.0's FTP Adam Prato (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Dug Song (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Todd Garrison (Aug 03)
- Re: PORT or PASV mode of IIS 4.0's FTP Makoto Shiotsuki (Aug 08)