Is there a (fairly) recent exploit for common ftp daemons going around lately? In the past several days, I've seen a very noticeable jump in the number of people attempting anonymous ftp logins. Typically I noticed it once or twice a week, and usually single attempts, but now they're coming in every few hours and they each make 4 attempts within a second (which is one per IP bound to the box I'm watching). It looks like it has to be some kind of script. Anyone else seeing any noticeable increases like this? -c
On Mon, Mar 19, 2001 at 01:01:39PM -0800, Clayton Fiske wrote:
Is there a (fairly) recent exploit for common ftp daemons going around lately? In the past several days, I've seen a very noticeable jump in the number of people attempting anonymous ftp logins. Typically I noticed it once or twice a week, and usually single attempts, but now they're coming in every few hours and they each make 4 attempts within a second (which is one per IP bound to the box I'm watching). It looks like it has to be some kind of script.
Anyone else seeing any noticeable increases like this?
My snort logs (on my home network) show at least one scan like that every day, usually two or more. Ben -- Ben Beuchler There is no spoon. insyte@emt-p.org -- The Matrix
On Mon, Mar 19, 2001 at 01:01:39PM -0800, Clayton Fiske had this to say:
Is there a (fairly) recent exploit for common ftp daemons going around lately? In the past several days, I've seen a very noticeable jump in the number of people attempting anonymous ftp logins. Typically I noticed it once or twice a week, and usually single attempts, but now they're coming in every few hours and they each make 4 attempts within a second (which is one per IP bound to the box I'm watching). It looks like it has to be some kind of script.
Anyone else seeing any noticeable increases like this?
probably due to the increasingly long thread on vulnerabilities in ftpds that is going on over in BUGTRAQ. Nothing too new, but every time a new 'sploit' is released there, every kiddie on the block just has to try it. -- Scott Francis scott@ [work:] v i r t u a l i s . c o m Systems Analyst darkuncle@ [home:] d a r k u n c l e . n e t PGP fingerprint 7ABF E2E9 CD54 A1A8 804D 179A 8802 0FBA CB33 CCA7 illum oportet crescere me autem minui
probably due to the increasingly long thread on vulnerabilities in ftpds that is going on over in BUGTRAQ. Nothing too new, but every time a new 'sploit' is released there, every kiddie on the block just has to try it.
to be a bit more specific. the exploit/bug comes from a problem with globbing. (ie: ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*) affected ftp daemons are the majority of them (proftpd etc) except ncftpd and glftpd from what i've seen. it was another one of those 'i'm so elite i'm going to notify the vendors 30 minutes before posting to bugtraq' so right now vendors are working on latest versions. cheers, -ken harris.
On Mon, Mar 19, 2001 at 07:17:32PM -0500, ken harris. wrote:
it was another one of those 'i'm so elite i'm going to notify the vendors 30 minutes before posting to bugtraq'
15 minutes. And this <censored> even ran a DoS attack against ftp.proftpd.org to prove his point.
so right now vendors are working on latest versions.
For ProFTPD a workaround exists. For the interested ones: http://www.proftpd.org/critbugs.html Best regards, Daniel (ProFTPD RPM packaging maintainer)
participants (5)
-
Ben Beuchler
-
Clayton Fiske
-
Daniel Roesen
-
ken harris.
-
Scott Francis