[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Raq3 ProFTP exploits

Subject: [cobalt-users] Raq3 ProFTP exploits
From: "GPS" <gps@xxxxxxxxxxxxxx>
Date: Wed Feb 21 06:27:07 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

This is about the EIGHTH attempt in the past 72 hours of this breakin
pattern:
While everyone's worrying about Bind exploits the scriptkiddies are running
some type
of auto FTP checker. My theory is that it auto finds FTP hosts and auto
logins and records
the FTP server version so they can return later and attempt to hack in to
exploitable FTP's.
It seems to check every live IP on the Raq3. This particular ass is from
Russia but I've
also had them come in from Pakistan, Korea and a Credit Union test server
here in the US.
I don't see the same thing on Raq4's though.
I can't close FTP, legit clients could be logging in from anywhere. The
ProFTP on this box
is secure but it's nerve wracking watching these buttheads connect. None of
the sites have
AnonFTP enabled. Anyone have any suggestions to stop this traffic short of
closing down
FTP?  Firewalled now along with all the other security goodies.


Feb 21 07:27:29 ww3 proftpd[10266]: <IP snipped>
(212.122.13.2[212.122.13.2]) - FTP session closed.
Feb 21 07:27:31 ww3 proftpd[10267]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:33 ww3 proftpd[10268]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10265]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10288]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10289]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10290]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:40 ww3 proftpd[10291]: (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:42 ww3 proftpd[10292]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:43 ww3 proftpd[10293]: (212.122.13.2[212.122.13.2]) - FTP
session closed
Feb 21 07:27:28 ww3 in.proftpd[10265]: connect from 212.122.13.2
Feb 21 07:27:28 ww3 in.proftpd[10266]: connect from 212.122.13.2
Feb 21 07:27:30 ww3 in.proftpd[10267]: connect from 212.122.13.2
Feb 21 07:27:32 ww3 in.proftpd[10268]: connect from 212.122.13.2
Feb 21 07:27:38 ww3 in.proftpd[10288]: connect from 212.122.13.2
Feb 21 07:27:38 ww3 in.proftpd[10289]: connect from 212.122.13.2
Feb 21 07:27:38 ww3 in.proftpd[10290]: connect from 212.122.13.2
Feb 21 07:27:39 ww3 in.proftpd[10291]: connect from 212.122.13.2
Feb 21 07:27:41 ww3 in.proftpd[10292]: connect from 212.122.13.2
Feb 21 07:27:42 ww3 in.proftpd[10293]: connect from 212.122.13.2

Follow-Ups:
- RE: [cobalt-users] Raq3 ProFTP exploits
  - From: Sean Chester
- RE: [cobalt-users] Raq3 ProFTP exploits
  - From: Chris Mason
- Re: [cobalt-users] Raq3 ProFTP exploits
  - From: Gerald Waugh
- Re: [cobalt-users] Raq3 ProFTP exploits
  - From: flash22

Prev by Date: [cobalt-users] .htaccess with FrontPage ?!?
Next by Date: [cobalt-users] netstat after hack
Previous by thread: RE: [cobalt-users] .htaccess with FrontPage ?!?
Next by thread: RE: [cobalt-users] Raq3 ProFTP exploits

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index