Hosting Provided By

RE: wu-ftpd attack ???

From: Aaron Lewis <jim(at)jsw4.net>
Date: Tue Nov 26 2002 - 15:22:42 EST

Apologies, After some trial and error, the current syntax being used to collect traffic is

tcpdump -nvvX -s 1500 -w /var/log/ftpdump 'port 20 or 21' &

I'll supply the results after the next attack of substantial event. For everyone who's interested please provide me with a valid e-mail and I'll communicate directly as I do not wish to post explicit data to the list.

-----Original Message-----
From: Aaron Lewis [mailto:jim@jsw4.net]
Sent: Tuesday, November 26, 2002 9:19 AM To: 'OTERO Hernan Gustavo EDS'; fygrave@tigerteam.net Cc: incidents@securityfocus.com; da@securityfocus.com Subject: RE: wu-ftpd attack ???

Ok. In efforts to find out what went on here, I have taken down some of the security features recently implemented and restarted tcpdump with tcpdump -nvv -s 1500 -w 'port 20 or 21' > /var/log/ftpdump &

I have copied this to the people who have asked for more information. I'd rather deal with a few individuals directly than splatter this all over the list. As soon as I have another incident I will post the dump results

Thanks

-----Original Message-----
From: OTERO Hernan Gustavo EDS [mailto:bazhgo@techint.net] Sent: Tuesday, November 26, 2002 7:04 AM To: 'aaron@jsw4.net'
Subject: wu-ftpd attack ???

Do you need help?

Could you sendme the tcpdump ( and the command that you run to make the dump ie, tcpdump -nvv -s 1500 -w blablabla or any other )?

Thanks,

Hernán Otero
Information Security Analyst

>I'm experiencing a situation where wu-ftpd wu-ftpd-2.6.1-20 on Red Hat 7.2
2.4.18-18.7.x >is
>getting broken by some specific type of scan (I think). When this happens,
wu-ftpd just stops
>responding to connection requests but port 21 is still listening according
to netstat

>-anl. I restart xinetd and all is well.

>Now, what I have managed to catch in the logs, just before the server
stops, are several >connections
>(or a scan) from a specific IP address to multiple virt hosts on my server.
There
>is NO annon ftp and there are NO shell accounts. If someone is interested
in the tcp dump
>for the FTP traffic during this, let me know. Other than that there is
nothing suspicious
>in the logs.

>Can someone tell me what might be going on please...

>Aaron Lewis
>JSW4.NET

Do you need more help?

>---------------------------------------------------------------------------
-
>This list is provided by the SecurityFocus ARIS analyzer service.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Nov 26 23:54:01 2002

This message: [ Message body ]
Next message: Toby Felgenner: "Re: Proxy server hit... Any ideas?"
Previous message: Ryan Yagatich: "Re: Help - a possible bot"
In reply to: Aaron Lewis: "RE: wu-ftpd attack ???"
In reply to Aaron D. Lewis: "wu-ftpd attack ???"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT