Security Incidents mailing list archives

RE: FTP/Port 1038

From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Wed, 5 Feb 2003 00:26:41 +0200

Hi Hoof and all on the list,

(192,168,1,9,4,14)

4*256+14= 1038
nothing curious in this "probe"

just a passive mode connection from the client to your server _after_ he
requested the server to go to passive mode with this command

[2] Tue 04Feb03 10:21:25 - (000001) PASV


and your server responded that the client should the data connection
connect to him on port 1038.

[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode 
(192,168,1,9,4,14)


Your NAT should provide fixup for the address 192.168.1.9 and port 1038
and a permit and translation for the later incomming connection. If it
doesn't it's plain broken NAT.

Best regards,
Boyan Krosnov
http://boyan.ludost.net/
just another techie speaking for himself


-----Original Message-----
From: Hoof Hearted [mailto:capbligh2001 () hotmail com] 
Sent: Tuesday, February 04, 2003 8:50 PM
To: incidents () securityfocus com
Subject: FTP/Port 1038






Hi All

At 10:21 GMT today we had an incidence of an ftp user accessing a ServU 
(Version 2.5f) server through a NAT. A few seconds later the firewall
noted 
an inbound 'probe' on port 1038 (to the w/s - this port is not in the
NAT)

The workstation firewall picked up as follows:

2003/02/04 10:21:26 203.198.145.93:6718 (mail.hyprint.com) 
192.168.1.9:1038
Port 1038 (TCP)


The ftp logs show:

[5] Tue 04Feb03 06:20:20 - (000007) Connected to 199.18.36.14 (Local
address 192.168.1.9)
[6] Tue 04Feb03 06:20:20 - (000007) 220 Serv-U FTP-Server v2.5f for

WinSock

ready...
[2] Tue 04Feb03 06:20:20 - (000007) USER anonymous
[6] Tue 04Feb03 06:20:20 - (000007) 331 User name okay, please send 
complete E-mail address as password.
[2] Tue 04Feb03 06:20:21 - (000007) PASS Ngpuser () home com
[5] Tue 04Feb03 06:20:21 - (000007) ANONYMOUS logged in, password: 
NGPUSER () HOME COM
[6] Tue 04Feb03 06:20:21 - (000007) 230 User logged in, proceed.
[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/
[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub: No such file or

directory.

[2] Tue 04Feb03 06:20:21 - (000007) CWD /public/
[6] Tue 04Feb03 06:20:21 - (000007) 550 /public: No such file or

directory.

[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/incoming/
[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub/incoming: No such file or 
directory.
[2] Tue 04Feb03 06:20:21 - (000007) CWD /incoming/
[6] Tue 04Feb03 06:20:21 - (000007) 550 /incoming: No such file or 
directory.
[2] Tue 04Feb03 06:20:22 - (000007) CWD /_vti_pvt/
[6] Tue 04Feb03 06:20:22 - (000007) 550 /_vti_pvt: No such file or 
directory.
[2] Tue 04Feb03 06:20:22 - (000007) CWD /
[6] Tue 04Feb03 06:20:22 - (000007) 250 Directory changed to /
[2] Tue 04Feb03 06:20:22 - (000007) MKD 030204011853p
[6] Tue 04Feb03 06:20:22 - (000007) 550 /030204011853p: Permission

denied.

[2] Tue 04Feb03 06:20:22 - (000007) CWD /upload/
[6] Tue 04Feb03 06:20:22 - (000007) 550 /upload: No such file or

directory.

[5] Tue 04Feb03 06:20:22 - (000007) Closing connection for user

ANONYMOUS

(00:00:02 connected)
[5] Tue 04Feb03 07:18:07 - (000008) Connected to 196.1.95.197 (Local 
address 192.168.1.9)
[6] Tue 04Feb03 07:18:07 - (000008) 220 Serv-U FTP-Server v2.5f for

WinSock

ready...
[5] Tue 04Feb03 07:18:07 - (000008) Closing connection
[1] Tue 04Feb03 10:06:39 - FTP server going down...
[1] Tue 04Feb03 10:16:03 - Starting FTP Server...  (Version 2.5f

(32-bit))

[5] Tue 04Feb03 10:21:20 - (000001) Connected to 203.198.145.93 (Local 
address 192.168.1.9)
[6] Tue 04Feb03 10:21:20 - (000001) 220 Serv-U FTP-Server v2.5f for

WinSock

ready...
[5] Tue 04Feb03 10:21:20 - (000001) IP-Name: MAIL.HYPRINT.COM
[2] Tue 04Feb03 10:21:21 - (000001) USER anonymous
[6] Tue 04Feb03 10:21:21 - (000001) 331 User name okay, please send 
complete E-mail address as password.
[2] Tue 04Feb03 10:21:21 - (000001) PASS ano () ano com
[5] Tue 04Feb03 10:21:21 - (000001) ANONYMOUS logged in, password: 
ANO () ANO COM
[6] Tue 04Feb03 10:21:21 - (000001) 230 User logged in, proceed.
[2] Tue 04Feb03 10:21:22 - (000001) TYPE I
[6] Tue 04Feb03 10:21:22 - (000001) 200 Type set to I.
[2] Tue 04Feb03 10:21:22 - (000001) STRU F
[6] Tue 04Feb03 10:21:22 - (000001) 200 STRU F ok.
[2] Tue 04Feb03 10:21:22 - (000001) MODE S
[6] Tue 04Feb03 10:21:22 - (000001) 200 MODE S ok.
[2] Tue 04Feb03 10:21:23 - (000001) REST 0
[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 0 - send STORE or

RETRIEVE to initiate transfer.
[2] Tue 04Feb03 10:21:23 - (000001) REST 1
[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 1 - send STORE or

RETRIEVE to initiate transfer.
[2] Tue 04Feb03 10:21:24 - (000001) REST 0
[6] Tue 04Feb03 10:21:24 - (000001) 350 Restarting at 0 - send STORE or

RETRIEVE to initiate transfer.
[2] Tue 04Feb03 10:21:24 - (000001) SYST
[6] Tue 04Feb03 10:21:24 - (000001) 215 UNIX Type: L8
[2] Tue 04Feb03 10:21:25 - (000001) PASV
[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode 
(192,168,1,9,4,14)
[5] Tue 04Feb03 10:22:06 - (000001) Closing connection for user

ANONYMOUS

(00:00:46 connected)


A cursory investigation noted that the 'probe' (allegedly from 
mail.hyprint.com) came from a machine that thinks it's
mail.hyprint.com.hk 
(seemingly no connection to hyprint.com who have a very different MX
config)

I might, at a push, believe this is a new user with a very open box,
except, 
the box seems to be a W2K advanced server with M$ Exchange 2000 and DNS
set 
up (alongside, RAdmin, ServUFTP 2.5j etc etc.) all running (apparently) 
behind a Linksys router (ip +8080).

Anyway - there's the heads up. :)



_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: FTP/Port 1038 Boyan Krosnov (Feb 04)
- RE: FTP/Port 1038 perrieror (Feb 13)
- <Possible follow-ups>
- FTP/Port 1038 Hoof Hearted (Feb 05)