OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] strange ftp-scan
From: Peter Münster (peteruniv-rennes1.fr)
Date: Sat Oct 07 2000 - 05:14:42 CDT

On Sat, 7 Oct 2000, Kurt Seifried wrote:

> > today I got about 50 messages like the following in /var/log/messages:
> > Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227
> > Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed
> > ... and it's still going on!
> > What could be the deeper meaning, when someone it making connections the
> > whole day long? ^^--(is)

Some more details:
one first connection for about 4 seconds
Oct 7 03:06:10 gmv wu.ftpd[8685]: connect from 211.56.234.227
Oct 7 03:06:14 gmv ftpd[8685]: FTP session closed
And then, from 7.35 on, a connection of about 0 seconds every 4 minutes.
Now the connections are refused by /etc/hosts.deny, but it's still going
on:
Oct 7 12:07:09 gmv wu.ftpd[15227]: refused connect from 211.56.234.227

> WuFTPD has more security holes then a .... well actually it's in my top 10
> for "most insecure software ever written and maintained". There are
> _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if
> someone had a gun to my head.

Ok, I used it only because of Thomas' letter in june
(http://lists.suse.com/archives/suse-security/2000-Jun/0167.html)...

> Then it's time to shutdown the box, look for signs of intrusion and probably

I really can't find any hint of intrusion...

I am going to try to take a look at the traffic (perhaps with tcpdump?)...
Peter 

-- 
     Peter Münster
     http://w3pm.stormloader.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com