[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: What kind of ftp attack is this?
From:       "Marcus J. Ranum" <mjr () nfr ! net>
Date:       1999-03-25 21:32:44
[Download RAW message or body]

>>> Mar 24 13:51:34 strip ftpd[2699]: refused PORT 0,1328 from 193.226.92.xxx
>>> Mar 24 13:51:49 strip ftpd[2703]: refused PORT 0,1331 from 193.226.92.xxx

Looks like someone using FTP bouncing to do a port scan.
This is why having FTP servers behind firewalls is a Bad Thing.
See
http://www.clark.net/pub/mjr/pubs/attck/sld052.htm
for a sketchy overview of FTP bouncing. You can extrapolate
bouncing to do all kind of stuff like scanning, denial of
service, etc.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

[prev in list] [next in list] [prev in thread] [next in thread]