[Snort-sigs] need a packet trace for serv-u/malware ftp session w/o login...

Donovan Tyler {tylerd} Donovan.Tyler at ...1676...
Fri Jul 18 05:37:18 EDT 2003

Sorry...I don't need a rule... I'm trying to test some IDS code.
We have gotten this kind of hack on our network (too often!) but I don't
have a trace on the actual beast.
My forensics tools often identify the rouge FTP server for these hacks
as SERV-U FTP, but that could be a false positive.
I suspect that hackers have gotten this code and modified it so that it
doesn't require authentication (generate login strings - non-IDS
detectable) or use some other FTP that is configurable in this way.

I need a packet trace of a "silent-mode" (no login strings) or hacked
ftp session of this kind.

Any traces, pointers, info is appreciated!
K. Donovan Tyler, MCSE 
Network Infrastructure Security 
McCombs School of Business, 
University of Texas at Austin 
CBA 1.324H B6003 
Austin, Texas 78712 

public key # 0x221F92A7
at http://pgp.mit.edu/

More information about the Snort-sigs mailing list