lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue Jun 13 19:41:27 2006
From: cardosolistas at contraditorium.com (Cardoso)
Subject: repeated port 21 attempts

A lot of modern Windows apps "call home" for updates or license checks.
Unless you have a very restric policy of installed software, your
network will see a lot of calls like that.

Also some programs scan the local network searching for peers or servers,
iTunes does it, I think.



On Tue, 13 Jun 2006 13:26:20 -0500
Jacob Wu <Wu@....UWM.EDU> wrote:

JW> I have received the suggestion that these attempts to connect to our ftp
JW> server are actually attempts to connect to some anti-virus ftp server for
JW> updates.  This is quite probable given that:
JW> 
JW> 1.) When our client has a 10.x.x.x address all dns requests resolve to the
JW> IP number of my server.
JW> 2.) After they register and have a "real" IP we switch them to a real DNS
JW> server.
JW> 
JW> It is also possible that it could be a bot "calling home", but when we have
JW> brought the computers down to our office and scanned them ourselves we can't
JW> find anything on them.
JW> 
JW> I'm going to call this one done since the "attacks" seem to go away once we
JW> give them a "real" IP.  Thanks to all.
JW> 
JW> -----Original Message-----
JW> From: Andrew Farmer [mailto:andfarm@...il.com] 
JW> Sent: Tuesday, June 13, 2006 12:49 PM
JW> To: Jacob Wu
JW> Cc: full-disclosure@...ts.grok.org.uk
JW> Subject: Re: Re: [Full-disclosure] repeated port 21 attempts
JW> 
JW> On 6/13/06, Jacob Wu <Wu@....uwm.edu> wrote:
JW> > They are all non routable 10.x.x.x IPs.  This is for a residence hall at
JW> my
JW> > University.  Residents, when they first turn on their computers, are given
JW> a
JW> > 10.x.x.x IP and made to register and agree with the network use policy.
JW> > Once they do that they are given a "real" IP and thus access to the
JW> > internet.
JW> 
JW> Are you doing something weird with DNS that's making this one machine's
JW> address to show up on lookups, or messing with routing so that everything
JW> gets redirected to this box?
JW> 
JW> If so, I'd wonder if this is some sort of bot that you're seeing
JW> that's trying to
JW> "call home" with FTP. It might behoove you to (kindly) ask the owner of one
JW> of the machines to let you take a look at their machine to see what it's
JW> doing.
JW> 
JW> > Someone sent me this link:
JW> >> Try websnarf:  http://www.unixwiz.net/tools/websnarf-1.04
JW> > But it gives me less information than iptables does.
JW> 
JW> You may have to modify it to better imitate an FTP server - it was written
JW> for
JW> use as a faux HTTP server. In particular, the client may be waiting for a
JW> banner
JW> and/or greeting before it makes a request.
JW> 
JW> _______________________________________________
JW> Full-Disclosure - We believe in it.
JW> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
JW> Hosted and sponsored by Secunia - http://secunia.com/
JW> 

Allgemeinen Anschulterlaubnis
Cardoso <cardoso@...ox.com> - SkypeIn: (11) 3711-2466 / (41) 3941-5299
vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com

Powered by blists - more mailing lists