|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)
From: Elias Levy (aleph1
SECURITYFOCUS.COM)Date: Thu Jul 06 2000 - 12:25:02 CDT
- Next message: Elias Levy: "Re: ftpd: the advisory version"
- Previous message: Patrick Oonk: "Re: scan log and subsequent response from the host's ISP"
- Next in thread: Elias Levy: "Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Message-ID: <B17EB7B34580D311BE38525405DF623225F0ADatc-mail-db.atctraining.com.au>
From: Tony Langdon <tlangdonatctraining.com.au>
To: 'wayout' <wayoutWAYOUT.IAE.NL>, BUGTRAQSECURITYFOCUS.COM
Subject: RE: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd
)
Date: Thu, 6 Jul 2000 09:08:46 +1000
> > - I, personally, have seen NO scanning for FTP services on
> my networks.
> > While this is admitedly anecdotal evidence, the last
> exploit against
> > WU-FTPD, which _did_ work and _was_ in widespread use,
> was acompanied by
> > a marked increase in such scans on the networks I
> manage. I have talked
> > with several other network operators and most report no
> increase in
> > scanning; one did report he is seeing some FTP probes on
> his campus.
> > The probes and scans I am seeing are consistent with the
> most-recent
> > CERT Current Activity report (
> > http://www.cert.org/current/current_activity.html ).
> >
> As a member of the System Administration group of a large
> cable network
> provider in the Netherlands I can state that there /has/ been
> an increase
> in FTP scans. Just as there was a noticeble increase in scans
> on port 21
> when wuftpd 2.5.0 was shown vulnerable.
I've seen only one scan on port 21 here, compared to numerous scans on other
ports, so it may be that those trying to make use of the exploit are
targetting specific areas/IP ranges. By far the highest percentage (> 50%)
of scans are on the telnet port, followed by a mix of ports 109/tcp,
110/tcp, 111/tcp, 143/tcp, 1080/tcp, and a couple of UDP scans which
correcpond to Back Orifice and similar trojans. Most scans are relatively
unsophisticated, looking more like manual connection attempts. Probably 20%
are obviously automatic, trying one or more ports over the whole subnet.
- Next message: Elias Levy: "Re: ftpd: the advisory version"
- Previous message: Patrick Oonk: "Re: scan log and subsequent response from the host's ISP"
- Next in thread: Elias Levy: "Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]