Hosting Provided By

RE: Quick question re FTP activity

From: darroch royden <darroch.royden(at)blueyonder.co.uk>
Date: Mon Nov 11 2002 - 17:17:43 EST

Looks like you have been marked as a mirror for chkrootkit and the user was trying to obtain a copy of:
www.chkrootkit.org/chkrootkit-poster-a1.pdf

I wouldn't worry, but I would disable anon ftp access :)

-----Original Message-----

From: Timothy M. Lyons [mailto:lyons@digitalvoodoo.org] Sent: 10 November 2002 10:21 AM
To: incidents@securityfocus.com
Subject: Quick question re FTP activity

I just brought this server online to lessen the stress on my web server, so I have to admit it's been a _long_ time since I ran FTP on anything. Can someone tell me what the user is trying to accomplish from the log excerpt below?

--Tim

---

"Leave the beaten path and dive into the woods. You are certain to find something interesting."

Alexander Graham Bell (1847 - 1922)

---begin ftp log---

Nov  9 08:53:15 envoy ftpd[2801]: USER anonymous
Nov  9 08:53:16 envoy ftpd[2801]: PASS m@m.com
Nov  9 08:53:16 envoy ftpd[2801]: ANONYMOUS FTP LOGIN FROM p9.pub.ro

[192.129.3.252], m@m.com Nov 9 08:53:16 envoy ftpd[2801]: TYPE Image Nov 9 08:53:16 envoy ftpd[2801]: PORT Nov 9 08:53:16 envoy ftpd[2801]: refused PORT 10.0.0.248,1362 from p9.pub.ro [192.129.3.252] Nov 9 08:53:17 envoy ftpd[2801]: PASV Nov 9 08:53:17 envoy ftpd[2801]: SIZE /pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf

Nov  9 08:53:17 envoy ftpd[2801]: REST 0
Nov  9 08:53:17 envoy ftpd[2801]: REST 100
Nov  9 08:53:17 envoy ftpd[2801]: RETR

/pub/mirrors/chkrootkit/chkrootkit-poster-a1.pdf Nov 9 08:53:21 envoy ftpd[2801]: ABOR
Nov 9 08:53:21 envoy ftpd[2801]: FTP session closed
---end log ---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 12 16:14:40 2002

This message: [ Message body ]
Next message: Will Munkara-Kerr: "RE: Port 5552?"
Previous message: Waitman C. Gobble: "030 ignkeywords igetnet follow up"
In reply to Timothy M. Lyons: "Quick question re FTP activity"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT

Do you need help?