[转载]New FTP Brute Force(新的FTP暴破)?
信息来源:[url]http://isc.sans.org/diary.php?date=2005-02-01[/url]One of our readers (thanks Dan!) told us about some unusual traffic to his FTP server.
I've received some strange traffic on my FTP server in the last few days, or at least this is the first time I've noticed this traffic.
I'm running [OS DELETED], last patched within the week, and I've got my directories locked for outside writing. Evidently some program is attempting to connect to the server and create a directory. I say it's a program because it's polling for a particular set of directories including /wwwroot/ and /wwwhtml/ by using the 'CWD' command. If it receives a response of 'command successful', it then tries to create a directory using the 'MKD' command.
The last series looked for 38 different directories and found /pub/, /usr/, and /. In each of these, it tried to create a directory using 'MKD', but only after a reply of success to the CWD command. The exchange took less than ten seconds to complete.
The two attempts were evidently different sources, at least they had different name resolutions.
The server had permissions locked down to prevent a successful compromise or inappropriate use by anyone using this particular malware. While I have broadband, my router is only forwarding unsolicited traffic designated for port 21 of the server address. Updated patching and port/ip router are the only protections currently employed for this server, and no filtering is being applied at the router. I am monitoring traffic using Ethereal, however.
The attack, looks like this:
USER anonymous
331 Guest login ok, type your name as password.
PASS [email]Zgpuser@home.com[/email]
230 Guest login ok, access restrictions apply.
CWD /pub/
250 CWD command successful.
MKD 050131161412p
550 050131161412p: Permission denied.
CWD /public/
550 /public/: No such file or directory.
CWD /pub/incoming/
550 /pub/incoming/: No such file or directory.
CWD /incoming/
550 /incoming/: No such file or directory.
CWD /_vti_pvt/
550 /_vti_pvt/: No such file or directory.
CWD /
250 CWD command successful.
MKD 050131161414p
550 050131161414p: Permission denied.
CWD /upload/
550 /upload/: No such file or directory.
CWD /_vti_txt/
550 /_vti_txt/: No such file or directory.
CWD /_vti_cfg/
550 /_vti_cfg/: No such file or directory.
CWD /_vti_log/
550 /_vti_log/: No such file or directory.
CWD /_vti_cnf/
550 /_vti_cnf/: No such file or directory.
CWD /_private/
550 /_private/: No such file or directory.
CWD /public/incoming/
550 /public/incoming/: No such file or directory.
CWD /public_html/
550 /public_html/: No such file or directory.
CWD /wwwroot/
550 /wwwroot/: No such file or directory.
CWD /mailroot/
550 /mailroot/: No such file or directory.
CWD /ftproot/
550 /ftproot/: No such file or directory.
CWD /home/
550 /home/: No such file or directory.
CWD /images/
550 /images/: No such file or directory.
CWD /web/
550 /web/: No such file or directory.
CWD /www/
550 /www/: No such file or directory.
CWD /html/
550 /html/: No such file or directory.
CWD /cgi-bin/
550 /cgi-bin/: No such file or directory.
CWD /usr/
250 CWD command successful.
MKD 050131161417p
550 050131161417p: Permission denied.
CWD /usr/incoming/
550 /usr/incoming/: No such file or directory.
CWD /temp/
550 /temp/: No such file or directory.
CWD /~temp/
550 ~temp: No such file or directory.
CWD /tmp/
550 /tmp/: No such file or directory.
CWD /~tmp/
550 ~tmp: No such file or directory.
CWD /outgoing/
550 /outgoing/: No such file or directory.
CWD /anonymous/
550 /anonymous/: No such file or directory.
CWD /anonymous/_vti_pvt/
550 /anonymous/_vti_pvt/: No such file or directory.
CWD /anonymous/_vti_cnf/
550 /anonymous/_vti_cnf/: No such file or directory.
CWD /anonymous/incoming/
550 /anonymous/incoming/: No such file or directory.
CWD /anonymous/pub/
550 /anonymous/pub/: No such file or directory.
CWD /anonymous/public/
550 /anonymous/public/: No such file or directory.
CWD / /
550 / /: No such file or directory.
CWD / /
550 / /: No such file or directory.
221 You could at least say goodbye.
A reader from New Zealand dropped us a note and mentioned that this is the work of a known FTP scanner, Grim's ping. Thanks for the note Simon!
All @ source link.
页:
[1]