[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Raq3 ProFTP exploits

Subject: RE: [cobalt-users] Raq3 ProFTP exploits
From: "Chris Mason" <chris@xxxxxx>
Date: Wed Feb 21 08:28:04 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Another for the hosts.deny file

Chris Mason
Box 340, The Valley, Anguilla, British West Indies
Tel: 264 497 5670 Fax: 264 497 8463
USA Fax (561) 382-7771
Take a virtual tour of the island
http://net.ai/ The Anguilla Guide
Find out more about NetConcepts
www.netconcepts.ai
Talk to me in real time with Instant Messenger: masonc92@xxxxxxxxxxx
Signature
F331 8AD1 36FB B3B0 DF9F  D95B 8024 D1EA 7450 D50C

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of GPS
Sent: Wednesday, February 21, 2001 10:13 AM
To: Cobalt-Users@List. Cobalt. Com
Subject: [cobalt-users] Raq3 ProFTP exploits


This is about the EIGHTH attempt in the past 72 hours of this breakin
pattern:
While everyone's worrying about Bind exploits the scriptkiddies are running
some type
of auto FTP checker. My theory is that it auto finds FTP hosts and auto
logins and records
the FTP server version so they can return later and attempt to hack in to
exploitable FTP's.
It seems to check every live IP on the Raq3. This particular ass is from
Russia but I've
also had them come in from Pakistan, Korea and a Credit Union test server
here in the US.
I don't see the same thing on Raq4's though.
I can't close FTP, legit clients could be logging in from anywhere. The
ProFTP on this box
is secure but it's nerve wracking watching these buttheads connect. None of
the sites have
AnonFTP enabled. Anyone have any suggestions to stop this traffic short of
closing down
FTP?  Firewalled now along with all the other security goodies.


Feb 21 07:27:29 ww3 proftpd[10266]: <IP snipped>
(212.122.13.2[212.122.13.2]) - FTP session closed.
Feb 21 07:27:31 ww3 proftpd[10267]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:33 ww3 proftpd[10268]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10265]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10288]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10289]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:39 ww3 proftpd[10290]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:40 ww3 proftpd[10291]: (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:42 ww3 proftpd[10292]:  (212.122.13.2[212.122.13.2]) - FTP
session closed.
Feb 21 07:27:43 ww3 proftpd[10293]: (212.122.13.2[212.122.13.2]) - FTP
session closed
Feb 21 07:27:28 ww3 in.proftpd[10265]: connect from 212.122.13.2
Feb 21 07:27:28 ww3 in.proftpd[10266]: connect from 212.122.13.2
Feb 21 07:27:30 ww3 in.proftpd[10267]: connect from 212.122.13.2
Feb 21 07:27:32 ww3 in.proftpd[10268]: connect from 212.122.13.2
Feb 21 07:27:38 ww3 in.proftpd[10288]: connect from 212.122.13.2
Feb 21 07:27:38 ww3 in.proftpd[10289]: connect from 212.122.13.2
Feb 21 07:27:38 ww3 in.proftpd[10290]: connect from 212.122.13.2
Feb 21 07:27:39 ww3 in.proftpd[10291]: connect from 212.122.13.2
Feb 21 07:27:41 ww3 in.proftpd[10292]: connect from 212.122.13.2
Feb 21 07:27:42 ww3 in.proftpd[10293]: connect from 212.122.13.2

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- [cobalt-users] Raq3 ProFTP exploits
  - From: GPS

Prev by Date: RE: [cobalt-security] [cobalt-users] RAQ2 Bind 8.2.3 patch won't install
Next by Date: Re: [cobalt-users] Raq3 ProFTP exploits
Previous by thread: RE: [cobalt-users] Raq3 ProFTP exploits-Grim's Ping
Next by thread: Re: [cobalt-users] Raq3 ProFTP exploits

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index