FTP Bounce scan

To: debian-security@lists.debian.org
Subject: FTP Bounce scan
From: Dries Kimpe <dries@wina.rug.ac.be>
Date: Sun, 20 Jan 2002 17:16:33 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0201201707530.27168-100000@wina.rug.ac.be>

  Today, I saw in the snort logs the following:
(removed ip & date to get it in 78-col format)

193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42940 -> ip:113 SYN 12****S* RESERVEDBITS
193.189.224.13:42941 -> ip:58154 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42942 -> ip:58155 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42943 -> ip:58156 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42944 -> ip:58157 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42945 -> ip:58158 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42946 -> ip:58159 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42947 -> ip:58160 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42948 -> ip:58161 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42949 -> ip:58162 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42950 -> ip:58163 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42951 -> ip:58164 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42952 -> ip:58165 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42953 -> ip:58166 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42954 -> ip:58167 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42955 -> ip:58168 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42956 -> ip:58169 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42958 -> ip:58170 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42959 -> ip:58171 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42960 -> ip:58172 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42962 -> ip:58173 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42963 -> ip:58174 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42965 -> ip:58175 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42966 -> ip:58176 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:42967 -> ip:58177 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:21 -> ip:58180 UNKNOWN *2*A**S* RESERVEDBITS
193.189.224.13:43074 -> ip:113 SYN 12****S* RESERVEDBITS
143.169.4.111:22 -> ip:22 SYNFIN ******SF 
143.169.4.111:4614 -> ip:22 SYN ******S* 

Is this a so-called ftp-bounce scan?
Because it starts every time with a connection from port 21,
en next to a bunch of connections on higher ports.
These came in bursts, each time for about one minute or so.

The source is 'source.rfc822.org' (193.189.224.13).

Does this mean their ftp server is misconfigured?
Should I warn them about his?

Nothing did get through my firewall (and ippl didn't show anything
either), so I shouldn't worry about this?

Am I right in saying that using ipt_conntrack_ftp doesn't make me more
vulnerable to this, as it only opens up for connections going *out* from
my machine?

  Thanks for the info,

  Dries

Reply to:

Follow-Ups:
- Re: FTP Bounce scan
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: FTP Bounce scan
  - From: Dries Kimpe <dries@wina.rug.ac.be>

Prev by Date: Re: Mailserver HDD organization
Next by Date: Re: FTP Bounce scan
Previous by thread: Re: libpam-mysql, libnss-mysql config files rights
Next by thread: Re: FTP Bounce scan
Index(es):
- Date
- Thread