RE: wu-ftpd attack ???

From: Aaron Lewis <jim(at)jsw4.net>
Date: Tue Nov 26 2002 - 09:18:40 EST

Ok. In efforts to find out what went on here, I have taken down some of the security features recently implemented and restarted tcpdump with tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &

I have copied this to the people who have asked for more information. I'd rather deal with a few individuals directly than splatter this all over the list. As soon as I have another incident I will post the dump results

Thanks

-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net] Sent: Tuesday, November 26, 2002 7:04 AM To: 'aaron@jsw4.net'
Subject: wu-ftpd attack ???

Could you sendme the tcpdump ( and the command that you run to make the dump ie, tcpdump -nvv -s 1500 -w blablabla or any other )?

Thanks,

        Hernán Otero
Information Security Analyst

>I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
2.4.18-18.7.x >is
>getting broken by some specific type of scan (I think). When this happens,
wu-ftpd just stops
>responding to connection requests but port 21 is still listening according
to netstat

>-anl. I restart xinetd and all is well.

>Now, what I have managed to catch in the logs, just before the server
stops, are several >connections
>(or a scan) from a specific IP address to multiple virt hosts on my server.
There
>is NO annon ftp and there are NO shell accounts. If someone is interested
in the tcp dump
>for the FTP traffic during this, let me know. Other than that there is
nothing suspicious
>in the logs.

>Can someone tell me what might be going on please...

>Aaron Lewis

>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 26 14:48:59 2002