lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Jun 13 19:41:27 2006 From: cardosolistas at contraditorium.com (Cardoso) Subject: repeated port 21 attempts A lot of modern Windows apps "call home" for updates or license checks. Unless you have a very restric policy of installed software, your network will see a lot of calls like that. Also some programs scan the local network searching for peers or servers, iTunes does it, I think. On Tue, 13 Jun 2006 13:26:20 -0500 Jacob Wu <Wu@....UWM.EDU> wrote: JW> I have received the suggestion that these attempts to connect to our ftp JW> server are actually attempts to connect to some anti-virus ftp server for JW> updates. This is quite probable given that: JW> JW> 1.) When our client has a 10.x.x.x address all dns requests resolve to the JW> IP number of my server. JW> 2.) After they register and have a "real" IP we switch them to a real DNS JW> server. JW> JW> It is also possible that it could be a bot "calling home", but when we have JW> brought the computers down to our office and scanned them ourselves we can't JW> find anything on them. JW> JW> I'm going to call this one done since the "attacks" seem to go away once we JW> give them a "real" IP. Thanks to all. JW> JW> -----Original Message----- JW> From: Andrew Farmer [mailto:andfarm@...il.com] JW> Sent: Tuesday, June 13, 2006 12:49 PM JW> To: Jacob Wu JW> Cc: full-disclosure@...ts.grok.org.uk JW> Subject: Re: Re: [Full-disclosure] repeated port 21 attempts JW> JW> On 6/13/06, Jacob Wu <Wu@....uwm.edu> wrote: JW> > They are all non routable 10.x.x.x IPs. This is for a residence hall at JW> my JW> > University. Residents, when they first turn on their computers, are given JW> a JW> > 10.x.x.x IP and made to register and agree with the network use policy. JW> > Once they do that they are given a "real" IP and thus access to the JW> > internet. JW> JW> Are you doing something weird with DNS that's making this one machine's JW> address to show up on lookups, or messing with routing so that everything JW> gets redirected to this box? JW> JW> If so, I'd wonder if this is some sort of bot that you're seeing JW> that's trying to JW> "call home" with FTP. It might behoove you to (kindly) ask the owner of one JW> of the machines to let you take a look at their machine to see what it's JW> doing. JW> JW> > Someone sent me this link: JW> >> Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 JW> > But it gives me less information than iptables does. JW> JW> You may have to modify it to better imitate an FTP server - it was written JW> for JW> use as a faux HTTP server. In particular, the client may be waiting for a JW> banner JW> and/or greeting before it makes a request. JW> JW> _______________________________________________ JW> Full-Disclosure - We believe in it. JW> Charter: http://lists.grok.org.uk/full-disclosure-charter.html JW> Hosted and sponsored by Secunia - http://secunia.com/ JW> Allgemeinen Anschulterlaubnis Cardoso <cardoso@...ox.com> - SkypeIn: (11) 3711-2466 / (41) 3941-5299 vida digital: http://www.contraditorium.com site pessoal e blog: http://www.carloscardoso.com
Powered by blists - more mailing lists