Full Disclosure mailing list archives

Re: Re: repeated port 21 attempts

From: Jacob Wu <Wu () AUX UWM EDU>
Date: Tue, 13 Jun 2006 11:09:05 -0500

They are all non routable 10.x.x.x IPs.  This is for a residence hall at my
University.  Residents, when they first turn on their computers, are given a
10.x.x.x IP and made to register and agree with the network use policy.
Once they do that they are given a "real" IP and thus access to the
internet.

 

I'm seeing these messages in /var/log/messages when the firewall drops the
connections.  Example:

 

      Jun 13 06:10:48 www kernel: REJECTED INCOMING PACKET IN=eth0 OUT=

      MAC=00:14:22:0e:a5:21:00:d0:01:4e:c7:fc:08:00 SRC=10.1.187.194

      DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=43812 DF

      PROTO=TCP SPT=4388 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0

 

I'll get 6 of these and then nothing.  Then 5 minutes later 6 more.

 

This behavior is repeated by less than half a dozen other computers.  Each
computer sends 6, waits 5 min and repeat.

 

I only allow ftp connections from a small number of IPs, if it's not in my
list I send a "reset connection" packet and disconnect from the client.

 

Someone sent me this link:

Try websnarf:  http://www.unixwiz.net/tools/websnarf-1.04

<http://www.unixwiz.net/tools/websnarf-1.04> 

But it gives me less information than iptables does.

 

 

-----Original Message-----

From: pwnd.security.pwnd [mailto:pwnd.security.pwnd () gmail com
<mailto:pwnd.security.pwnd () gmail com> ] 

Sent: Tuesday, June 13, 2006 7:48 AM

To: Jacob Wu

Cc: full-disclosure () lists grok org uk

Subject: Re: [Full-disclosure] repeated port 21 attempts

 

On 6/12/06, Jacob Wu <Wu () aux uwm edu> wrote:

I'm getting port 21 connection attempts every 5 minutes from about half a

dozen of my network users. These attempts are repeating regularly with one

computer sending out 1500+ attempts a day. I have not seen this before and

I'm wondering if anyone else here has seen a client behave this way

before?


<snip>

 

Send me your source IP's.

Anyone got anything? Is this something new or just new to me?

_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

<http://lists.grok.org.uk/full-disclosure-charter.html>

Hosted and sponsored by Secunia - http://secunia.com/

<http://secunia.com/>


 

 

-- 

 

pwnd.security.pwnd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

repeated port 21 attempts Jacob Wu (Jun 12)
- Re: repeated port 21 attempts Rodrigo Barbosa (Jun 12)
- Re: repeated port 21 attempts Matt Venzke (Jun 12)
- Re: repeated port 21 attempts pwnd . security . pwnd (Jun 13)
  - RE: repeated port 21 attempts Ken Dunham (Jun 13)
    - Re: repeated port 21 attempts Andrew Farmer (Jun 14)
- <Possible follow-ups>
- Re: Re: repeated port 21 attempts Jacob Wu (Jun 13)
  - Re: Re: repeated port 21 attempts Andrew Farmer (Jun 13)
- RE: Re: repeated port 21 attempts Jacob Wu (Jun 13)
  - Re: repeated port 21 attempts Cardoso (Jun 13)