Re: is this an attack ?

To: debian-security@lists.debian.org
Subject: Re: is this an attack ?
From: Nick Boyce <nick@glimmer.demon.co.uk>
Date: Sat, 29 Mar 2003 15:42:59 +0000
Message-id: <[🔎] i7fb8vg00m5v5uh2bsngdmle4fsbml645i@4ax.com>
In-reply-to: <[🔎] 1048945567.655.22.camel@oficina4>
References: <[🔎] 1048945567.655.22.camel@oficina4>

On 29 Mar 2003 10:46:02 -0300, danilo lujambio wrote:

>I have a ftp server secured with the directives that I found in general
>docs. Yesterday my server was down at 19:30 aprox , the only suspicious
>track that I found is : 
>
>18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
>Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
>Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
>Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
>Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
>Mar 28 18:59:08 web wu-ftpd[10527]: TYPE Image
>Mar 28 18:59:08 web wu-ftpd[10527]: STRU File
>Mar 28 18:59:08 web wu-ftpd[10527]: TYPE Image
>Mar 28 18:59:08 web wu-ftpd[10527]: STRU File
>Mar 28 18:59:09 web wu-ftpd[10527]: MODE Stream
>Mar 28 18:59:09 web wu-ftpd[10527]: REST 0
>Mar 28 18:59:09 web wu-ftpd[10527]: REST 1
>Mar 28 18:59:09 web wu-ftpd[10527]: MODE Stream
>Mar 28 18:59:09 web wu-ftpd[10527]: REST 0
>Mar 28 18:59:09 web wu-ftpd[10527]: REST 1
>Mar 28 18:59:10 web wu-ftpd[10527]: SYST
>Mar 28 18:59:10 web wu-ftpd[10527]: PASV
>Mar 28 18:59:10 web wu-ftpd[10527]: SYST
>Mar 28 18:59:10 web wu-ftpd[10527]: PASV
>Mar 28 18:59:14 web wu-ftpd[10527]: TYPE ASCII
>Mar 28 18:59:15 web wu-ftpd[10527]: LIST /
>Mar 28 18:59:16 web wu-ftpd[10527]: CWD /bin
>Mar 28 18:59:16 web wu-ftpd[10527]: PASV
>Mar 28 18:59:16 web wu-ftpd[10527]: TYPE Image
>Mar 28 18:59:16 web wu-ftpd[10527]: CWD /bin
>Mar 28 18:59:16 web wu-ftpd[10527]: PASV
>Mar 28 18:59:16 web wu-ftpd[10527]: TYPE Image
>Mar 28 18:59:17 web wu-ftpd[10527]: ALLO 104154
>Mar 28 18:59:17 web wu-ftpd[10527]: REST 0
>Mar 28 18:59:17 web wu-ftpd[10527]: STOR 582.258
>Mar 28 18:59:17 web wu-ftpd[10527]: ALLO 104154
>Mar 28 18:59:17 web wu-ftpd[10527]: REST 0
>Mar 28 18:59:17 web wu-ftpd[10527]: STOR 582.258
>Mar 28 18:59:17 web wu-ftpd[10527]: ALLO 104154
>Mar 28 18:59:17 web wu-ftpd[10527]: REST 0
>Mar 28 18:59:17 web wu-ftpd[10527]: STOR 582.258
[snip]

Hmm.  It's worth pointing out that some GUI FTP clients attempt to
avoid server-enforced idle timeouts of the control connection by
issuing random "no-op" commands at regular intervals to fool the
server into thinking meaningful activity is taking place - some of the
above looks like that.

However, the timestamps are closer together than is warranted for
this, and I'd be as suspicious as you about the "ALLO" and "STOR"
commands - they don't look like "no-op" commands to me.

Sorry I can't say anything more helpful.

Nick Boyce
Bristol, UK
--
"Remember - friends don't send friends HTML e-mail"

Reply to:

References:
- is this an attack ?
  - From: danilo lujambio <danilo@tau.org.ar>

Prev by Date: Re: is this an attack ?
Next by Date: Re: Removing invalid keys from keyring
Previous by thread: Re: is this an attack ?
Next by thread: Re: is this an attack ?
Index(es):
- Date
- Thread