Full Disclosure mailing list archives
Re: repeated port 21 attempts
From: Cardoso <cardosolistas () contraditorium com>
Date: Tue, 13 Jun 2006 15:41:11 -0300
A lot of modern Windows apps "call home" for updates or license checks. Unless you have a very restric policy of installed software, your network will see a lot of calls like that. Also some programs scan the local network searching for peers or servers, iTunes does it, I think. On Tue, 13 Jun 2006 13:26:20 -0500 Jacob Wu <Wu () AUX UWM EDU> wrote: JW> I have received the suggestion that these attempts to connect to our ftp JW> server are actually attempts to connect to some anti-virus ftp server for JW> updates. This is quite probable given that: JW> JW> 1.) When our client has a 10.x.x.x address all dns requests resolve to the JW> IP number of my server. JW> 2.) After they register and have a "real" IP we switch them to a real DNS JW> server. JW> JW> It is also possible that it could be a bot "calling home", but when we have JW> brought the computers down to our office and scanned them ourselves we can't JW> find anything on them. JW> JW> I'm going to call this one done since the "attacks" seem to go away once we JW> give them a "real" IP. Thanks to all. JW> JW> -----Original Message----- JW> From: Andrew Farmer [mailto:andfarm () gmail com] JW> Sent: Tuesday, June 13, 2006 12:49 PM JW> To: Jacob Wu JW> Cc: full-disclosure () lists grok org uk JW> Subject: Re: Re: [Full-disclosure] repeated port 21 attempts JW> JW> On 6/13/06, Jacob Wu <Wu () aux uwm edu> wrote: JW> > They are all non routable 10.x.x.x IPs. This is for a residence hall at JW> my JW> > University. Residents, when they first turn on their computers, are given JW> a JW> > 10.x.x.x IP and made to register and agree with the network use policy. JW> > Once they do that they are given a "real" IP and thus access to the JW> > internet. JW> JW> Are you doing something weird with DNS that's making this one machine's JW> address to show up on lookups, or messing with routing so that everything JW> gets redirected to this box? JW> JW> If so, I'd wonder if this is some sort of bot that you're seeing JW> that's trying to JW> "call home" with FTP. It might behoove you to (kindly) ask the owner of one JW> of the machines to let you take a look at their machine to see what it's JW> doing. JW> JW> > Someone sent me this link: JW> >> Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 JW> > But it gives me less information than iptables does. JW> JW> You may have to modify it to better imitate an FTP server - it was written JW> for JW> use as a faux HTTP server. In particular, the client may be waiting for a JW> banner JW> and/or greeting before it makes a request. JW> JW> _______________________________________________ JW> Full-Disclosure - We believe in it. JW> Charter: http://lists.grok.org.uk/full-disclosure-charter.html JW> Hosted and sponsored by Secunia - http://secunia.com/ JW> Allgemeinen Anschulterlaubnis Cardoso <cardoso () pobox com> - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- repeated port 21 attempts Jacob Wu (Jun 12)
- Re: repeated port 21 attempts Rodrigo Barbosa (Jun 12)
- Re: repeated port 21 attempts Matt Venzke (Jun 12)
- Re: repeated port 21 attempts pwnd . security . pwnd (Jun 13)
- RE: repeated port 21 attempts Ken Dunham (Jun 13)
- Re: repeated port 21 attempts Andrew Farmer (Jun 14)
- RE: repeated port 21 attempts Ken Dunham (Jun 13)
- <Possible follow-ups>
- Re: Re: repeated port 21 attempts Jacob Wu (Jun 13)
- Re: Re: repeated port 21 attempts Andrew Farmer (Jun 13)
- RE: Re: repeated port 21 attempts Jacob Wu (Jun 13)
- Re: repeated port 21 attempts Cardoso (Jun 13)