Snort mailing list archives
RE: FTP command overflow attempt help
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Wed, 11 Dec 2002 13:07:44 -0500
The actual port requested looks to be 62010 ((242*256)+58) which would fit for an ephemeral FTP data connection. The only thing that makes me curious is the fact that the Alerts don't look like the same FTP traffic as the log itself. If the user shown the the actual FTP logs isn't originating from 213.140.9.152, then you may be experiencing an FTP bounce attack. Since you mentioned subnet*s*, I'll assume they all look the same, so this could be a recon effort to identify passive capable FTP servers. I found a decent explanation on FTP command types here: http://slacksite.com/other/ftp.html More info on FTP Port command attacks can be found here: http://www.cert.org/tech_tips/ftp_port_attacks.html hth, John Hicks -----Original Message----- From: Tyler Owen [mailto:t.l.owen () larc nasa gov] Sent: Wednesday, December 11, 2002 12:14 PM To: snort-users () lists sourceforge net Subject: [Snort-users] FTP command overflow attempt help We are receiving a very large number of alerts triggering the "FTP command overflow attempt" alerts. These alerts are coming from two address ranges in Italy. Well that is not really odd by itself but what I am really confused on is the traffic. (see below for snippet) They are logging into the machine via Anonymous FTP using a password of ics () ipsilon zeta and then issuing the PORT command 5 times per packet. And it appears to be random how many times that they do issue the command. The source IPs change but are always from either 213.140.0.0/16 or 213.156.0.0/16 I am at a loss for what is going on. In researching valid traffic I never saw two PORT commands back to back, so is this an attempted DOS or what?? Any info would be very helpful!! I am sorry if this is not the correct avenue for this but I wasn't sure where to seek help. Thanks, Tyler <DEMARC ALERT SUMMARY> 2002-12-11 04:48:15 SID:3 CID:518383 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 __________________________________________________________________ 2002-12-11 04:48:07 SID:3 CID:518380 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 __________________________________________________________________ 2002-12-11 04:47:59 SID:3 CID:518379 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 __________________________________________________________________ 2002-12-11 04:47:51 SID:3 CID:518377 FTP command overflow attempt [TCP] 213.140.12.218:3483 -> 128.155.200.90:21 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54 218,242,58.PORT 20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C 213,140,12,218, 32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33 242,58.PORT 213 2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C ,140,12,218,242, 35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30 58.PORT 213,140 2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A ,12,218,242,58. 50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C PORT 213,140,12, 32 31 38 2C 32 34 32 2C 35 38 0D 0A 218,242,58 </DEMARC ALERT SUMMARY> <ASCII traffic decode> 220 techreports.larc.nasa.gov FTP server ready. USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS ics () ipsilon zeta 230 Guest login ok, access restrictions apply. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,193,253 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,24,243 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. PORT 213,140,9,152,66,11 200 PORT command successful. </ASCII traffic decode> ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP command overflow attempt help Tyler Owen (Dec 11)
- <Possible follow-ups>
- RE: FTP command overflow attempt help Hicks, John (Dec 11)