Security Incidents mailing list archives
RE: FTP/Port 1038
From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Wed, 5 Feb 2003 00:26:41 +0200
Hi Hoof and all on the list,
(192,168,1,9,4,14)
4*256+14= 1038 nothing curious in this "probe" just a passive mode connection from the client to your server _after_ he requested the server to go to passive mode with this command
[2] Tue 04Feb03 10:21:25 - (000001) PASV
and your server responded that the client should the data connection connect to him on port 1038.
[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode (192,168,1,9,4,14)
Your NAT should provide fixup for the address 192.168.1.9 and port 1038 and a permit and translation for the later incomming connection. If it doesn't it's plain broken NAT. Best regards, Boyan Krosnov http://boyan.ludost.net/ just another techie speaking for himself -----Original Message----- From: Hoof Hearted [mailto:capbligh2001 () hotmail com] Sent: Tuesday, February 04, 2003 8:50 PM To: incidents () securityfocus com Subject: FTP/Port 1038 Hi All At 10:21 GMT today we had an incidence of an ftp user accessing a ServU (Version 2.5f) server through a NAT. A few seconds later the firewall noted an inbound 'probe' on port 1038 (to the w/s - this port is not in the NAT) The workstation firewall picked up as follows:
2003/02/04 10:21:26 203.198.145.93:6718 (mail.hyprint.com) 192.168.1.9:1038 Port 1038 (TCP)
The ftp logs show:
[5] Tue 04Feb03 06:20:20 - (000007) Connected to 199.18.36.14 (Local address 192.168.1.9) [6] Tue 04Feb03 06:20:20 - (000007) 220 Serv-U FTP-Server v2.5f for
WinSock
ready... [2] Tue 04Feb03 06:20:20 - (000007) USER anonymous [6] Tue 04Feb03 06:20:20 - (000007) 331 User name okay, please send complete E-mail address as password. [2] Tue 04Feb03 06:20:21 - (000007) PASS Ngpuser () home com [5] Tue 04Feb03 06:20:21 - (000007) ANONYMOUS logged in, password: NGPUSER () HOME COM [6] Tue 04Feb03 06:20:21 - (000007) 230 User logged in, proceed. [2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/ [6] Tue 04Feb03 06:20:21 - (000007) 550 /pub: No such file or
directory.
[2] Tue 04Feb03 06:20:21 - (000007) CWD /public/ [6] Tue 04Feb03 06:20:21 - (000007) 550 /public: No such file or
directory.
[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/incoming/ [6] Tue 04Feb03 06:20:21 - (000007) 550 /pub/incoming: No such file or directory. [2] Tue 04Feb03 06:20:21 - (000007) CWD /incoming/ [6] Tue 04Feb03 06:20:21 - (000007) 550 /incoming: No such file or directory. [2] Tue 04Feb03 06:20:22 - (000007) CWD /_vti_pvt/ [6] Tue 04Feb03 06:20:22 - (000007) 550 /_vti_pvt: No such file or directory. [2] Tue 04Feb03 06:20:22 - (000007) CWD / [6] Tue 04Feb03 06:20:22 - (000007) 250 Directory changed to / [2] Tue 04Feb03 06:20:22 - (000007) MKD 030204011853p [6] Tue 04Feb03 06:20:22 - (000007) 550 /030204011853p: Permission
denied.
[2] Tue 04Feb03 06:20:22 - (000007) CWD /upload/ [6] Tue 04Feb03 06:20:22 - (000007) 550 /upload: No such file or
directory.
[5] Tue 04Feb03 06:20:22 - (000007) Closing connection for user
ANONYMOUS
(00:00:02 connected) [5] Tue 04Feb03 07:18:07 - (000008) Connected to 196.1.95.197 (Local address 192.168.1.9) [6] Tue 04Feb03 07:18:07 - (000008) 220 Serv-U FTP-Server v2.5f for
WinSock
ready... [5] Tue 04Feb03 07:18:07 - (000008) Closing connection [1] Tue 04Feb03 10:06:39 - FTP server going down... [1] Tue 04Feb03 10:16:03 - Starting FTP Server... (Version 2.5f
(32-bit))
[5] Tue 04Feb03 10:21:20 - (000001) Connected to 203.198.145.93 (Local address 192.168.1.9) [6] Tue 04Feb03 10:21:20 - (000001) 220 Serv-U FTP-Server v2.5f for
WinSock
ready... [5] Tue 04Feb03 10:21:20 - (000001) IP-Name: MAIL.HYPRINT.COM [2] Tue 04Feb03 10:21:21 - (000001) USER anonymous [6] Tue 04Feb03 10:21:21 - (000001) 331 User name okay, please send complete E-mail address as password. [2] Tue 04Feb03 10:21:21 - (000001) PASS ano () ano com [5] Tue 04Feb03 10:21:21 - (000001) ANONYMOUS logged in, password: ANO () ANO COM [6] Tue 04Feb03 10:21:21 - (000001) 230 User logged in, proceed. [2] Tue 04Feb03 10:21:22 - (000001) TYPE I [6] Tue 04Feb03 10:21:22 - (000001) 200 Type set to I. [2] Tue 04Feb03 10:21:22 - (000001) STRU F [6] Tue 04Feb03 10:21:22 - (000001) 200 STRU F ok. [2] Tue 04Feb03 10:21:22 - (000001) MODE S [6] Tue 04Feb03 10:21:22 - (000001) 200 MODE S ok. [2] Tue 04Feb03 10:21:23 - (000001) REST 0 [6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 0 - send STORE or
RETRIEVE to initiate transfer. [2] Tue 04Feb03 10:21:23 - (000001) REST 1 [6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 1 - send STORE or
RETRIEVE to initiate transfer. [2] Tue 04Feb03 10:21:24 - (000001) REST 0 [6] Tue 04Feb03 10:21:24 - (000001) 350 Restarting at 0 - send STORE or
RETRIEVE to initiate transfer. [2] Tue 04Feb03 10:21:24 - (000001) SYST [6] Tue 04Feb03 10:21:24 - (000001) 215 UNIX Type: L8 [2] Tue 04Feb03 10:21:25 - (000001) PASV [6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode (192,168,1,9,4,14) [5] Tue 04Feb03 10:22:06 - (000001) Closing connection for user
ANONYMOUS
(00:00:46 connected)
A cursory investigation noted that the 'probe' (allegedly from mail.hyprint.com) came from a machine that thinks it's mail.hyprint.com.hk (seemingly no connection to hyprint.com who have a very different MX config) I might, at a push, believe this is a new user with a very open box, except, the box seems to be a W2K advanced server with M$ Exchange 2000 and DNS set up (alongside, RAdmin, ServUFTP 2.5j etc etc.) all running (apparently) behind a Linksys router (ip +8080). Anyway - there's the heads up. :) _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: FTP/Port 1038 Boyan Krosnov (Feb 04)
- RE: FTP/Port 1038 perrieror (Feb 13)
- <Possible follow-ups>
- FTP/Port 1038 Hoof Hearted (Feb 05)