RE: wu-ftpd attack???

From: Bojan Zdrnja <Bojan.Zdrnja(at)FER.hr>
Date: Wed Nov 27 2002 - 05:42:17 EST

I get loads of similar connections every day. I suppose it's some (very simple) automated tool to check various servers if they accept anonymous connections (probably used by warez kids who then upload their warez into server and use it as distribution site).

In your case, connections from remote client are too excessive - maybe automated tool isn't properly configured.

Default setting in tcp wrappers (which you obviously use to start proftpd) allows maximum of 40 spawned sessions of one service in 60 seconds. In your case, it goes over this maximum number, so inetd terminates proftpd service.

If you don't use anonymous ftp (and you said you don't), you can put some restrictions on allowed IPs which connect to your ftp server (of course, if that's possible).

In other case, you can put higher value on allowed maximum number of spawned connections in /etc/inetd.conf file.

Just find line with proftpd, it should look like:

ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd

and change nowait parameter to something like nowait.400 This will allow 400 spawned connections in 60 seconds.

Best regards,

Bojan Zdrnja

> -----Original Message-----
> From: M. den Braber [mailto:maurice@office.igr.nl]
> Sent: 26. studeni 2002 10:05
> To: incidents@securityfocus.com
> Subject: RE: wu-ftpd attack???
>
>
> I just posted this in focus-linux a minute ago, looks the same:

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Nov 27 21:53:31 2002