Mailinglist Archive: opensuse-security (471 mails)
| < Previous | Next > |
Re: [suse-security] strange ftp-scan
- From: Peter Münster <peter@xxxxxxxxxxxxxxx>
- Date: Sat, 7 Oct 2000 12:14:42 +0200 (CEST)
- Message-id: <Pine.LNX.4.21.0010071159370.15052-100000@xxxxxxxxxxxxxxxxxxxxxxx>
On Sat, 7 Oct 2000, Kurt Seifried wrote:
> > today I got about 50 messages like the following in /var/log/messages:
> > Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227
> > Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed
> > ... and it's still going on!
> > What could be the deeper meaning, when someone it making connections the
> > whole day long? ^^--(is)
Some more details:
one first connection for about 4 seconds
Oct 7 03:06:10 gmv wu.ftpd[8685]: connect from 211.56.234.227
Oct 7 03:06:14 gmv ftpd[8685]: FTP session closed
And then, from 7.35 on, a connection of about 0 seconds every 4 minutes.
Now the connections are refused by /etc/hosts.deny, but it's still going
on:
Oct 7 12:07:09 gmv wu.ftpd[15227]: refused connect from 211.56.234.227
> WuFTPD has more security holes then a .... well actually it's in my top 10
> for "most insecure software ever written and maintained". There are
> _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if
> someone had a gun to my head.
Ok, I used it only because of Thomas' letter in june
(http://lists.suse.com/archives/suse-security/2000-Jun/0167.html)...
> Then it's time to shutdown the box, look for signs of intrusion and probably
I really can't find any hint of intrusion...
I am going to try to take a look at the traffic (perhaps with tcpdump?)...
Peter
--
Peter Münster
http://w3pm.stormloader.com/
> > today I got about 50 messages like the following in /var/log/messages:
> > Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227
> > Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed
> > ... and it's still going on!
> > What could be the deeper meaning, when someone it making connections the
> > whole day long? ^^--(is)
Some more details:
one first connection for about 4 seconds
Oct 7 03:06:10 gmv wu.ftpd[8685]: connect from 211.56.234.227
Oct 7 03:06:14 gmv ftpd[8685]: FTP session closed
And then, from 7.35 on, a connection of about 0 seconds every 4 minutes.
Now the connections are refused by /etc/hosts.deny, but it's still going
on:
Oct 7 12:07:09 gmv wu.ftpd[15227]: refused connect from 211.56.234.227
> WuFTPD has more security holes then a .... well actually it's in my top 10
> for "most insecure software ever written and maintained". There are
> _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if
> someone had a gun to my head.
Ok, I used it only because of Thomas' letter in june
(http://lists.suse.com/archives/suse-security/2000-Jun/0167.html)...
> Then it's time to shutdown the box, look for signs of intrusion and probably
I really can't find any hint of intrusion...
I am going to try to take a look at the traffic (perhaps with tcpdump?)...
Peter
--
Peter Münster
http://w3pm.stormloader.com/
| < Previous | Next > |