Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

Message-ID: <B17EB7B34580D311BE38525405DF623225F0AD () atc-mail-db atctraining com au>
From: Tony Langdon <tlangdon () atctraining com au>
To: 'wayout' <wayout () WAYOUT IAE NL>, BUGTRAQ () SECURITYFOCUS COM
Subject: RE: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd
        )
Date: Thu, 6 Jul 2000 09:08:46 +1000

> >  - I, personally, have seen NO scanning for FTP services on
> my networks.
> >    While this is admitedly anecdotal evidence, the last
> exploit against
> >    WU-FTPD, which _did_ work and _was_ in widespread use,
> was acompanied by
> >    a marked increase in such scans on the networks I
> manage.  I have talked
> >    with several other network operators and most report no
> increase in
> >    scanning; one did report he is seeing some FTP probes on
> his campus.
> >    The probes and scans I am seeing are consistent with the
> most-recent
> >    CERT Current Activity report (
> >    http://www.cert.org/current/current_activity.html ).
> As a member of the System Administration group of a large
> cable network
> provider in the Netherlands I can state that there /has/ been
> an increase
> in FTP scans. Just as there was a noticeble increase in scans
> on port 21
> when wuftpd 2.5.0 was shown vulnerable.

I've seen only one scan on port 21 here, compared to numerous scans on other
ports, so it may be that those trying to make use of the exploit are
targetting specific areas/IP ranges.  By far the highest percentage (> 50%)
of scans are on the telnet port, followed by a mix of ports 109/tcp,
110/tcp, 111/tcp, 143/tcp, 1080/tcp, and a couple of UDP scans which
correcpond to Back Orifice and similar trojans.  Most scans are relatively
unsophisticated, looking more like manual connection attempts.  Probably 20%
are obviously automatic, trying one or more ports over the whole subnet.