Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: wu-ftpd attack???

From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Wed, 27 Nov 2002 11:42:17 +0100
I get loads of similar connections every day. I suppose it's some (very
simple) automated tool to check various servers if they accept anonymous
connections (probably used by warez kids who then upload their warez into
server and use it as distribution site).

In your case, connections from remote client are too excessive - maybe
automated tool isn't properly configured.

Default setting in tcp wrappers (which you obviously use to start proftpd)
allows maximum of 40 spawned sessions of one service in 60 seconds. In your
case, it goes over this maximum number, so inetd terminates proftpd service.

If you don't use anonymous ftp (and you said you don't), you can put some
restrictions on allowed IPs which connect to your ftp server (of course, if
that's possible).

In other case, you can put higher value on allowed maximum number of spawned
connections in /etc/inetd.conf file.

Just find line with proftpd, it should look like:

ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/proftpd

and change nowait parameter to something like nowait.400
This will allow 400 spawned connections in 60 seconds.

Best regards,

Bojan Zdrnja


-----Original Message-----
From: M. den Braber [mailto:maurice () office igr nl]
Sent: 26. studeni 2002 10:05
To: incidents () securityfocus com
Subject: RE: wu-ftpd attack???


I just posted this in focus-linux a minute ago, looks the same:


Hi guys,

I'm fairly new to the lists so i hope i'm dropping it
in the right one. ;-)

Anyway,

In my network there is a cobalt raq4 that is hosting several
sites and today i noticed that in the last couple of days the
number of connections shot through the roof. (Compared to usual ;) )

When i take a look at the logs i noticed that someone
is trying to login using an anonymous ftp account, which is,
off course disabled.

[log]
Nov 25 10:37:53 koushaven proftpd[8479]: - FTP session opened.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: