[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq3 ProFTP exploits

Subject: Re: [cobalt-users] Raq3 ProFTP exploits
From: flash22@xxxxxxx
Date: Sat Feb 24 12:33:57 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Wed, 21 Feb 2001, GPS wrote:

> This is about the EIGHTH attempt in the past 72 hours of this breakin
> pattern:
> While everyone's worrying about Bind exploits the scriptkiddies are running
> some type
> of auto FTP checker. My theory is that it auto finds FTP hosts and auto
> logins and records

Another thing i learned from my recent kiddie attempt...he made a null
request on the web server about 20 minutes before, then hit it with a
browser to generate lots of normal page requests....i'm guessing he wanted
version info from apache....

If you run portsentry and you don't have any users using pop2 i'd
recomment using pop2 as a instant kill port...

(Watched him try to use pop2 to validate usernames on the machine, he also
used EXPN with usernames on sendmail, so i'd be watching for failed EXPN's
as a clue, but this is messer to do...

Funny, never thought i'd find a raq bug usefull, but sendmail incorrectly
verified usernames that mismatched domains , one fellow spent a lot of
time trying ftp login with a username that had no chance of working..

Last note, the last clown actually tried ftp login as 'root' ...

gsh

References:
- [cobalt-users] Raq3 ProFTP exploits
  - From: GPS

Prev by Date: [cobalt-users] Back Up Raq sites
Next by Date: Re: [cobalt-users] hacked raq
Previous by thread: Re: [cobalt-users] Raq3 ProFTP exploits
Next by thread: [cobalt-users] ProFTP update

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index