[Snort-sigs] need a packet trace for serv-u/malware ftp session w/o login...

Donovan Tyler {tylerd} Donovan.Tyler at ...1676...
Fri Jul 18 05:37:18 EDT 2003


Sorry...I don't need a rule... I'm trying to test some IDS code.
We have gotten this kind of hack on our network (too often!) but I don't
have a trace on the actual beast.
My forensics tools often identify the rouge FTP server for these hacks
as SERV-U FTP, but that could be a false positive.
I suspect that hackers have gotten this code and modified it so that it
doesn't require authentication (generate login strings - non-IDS
detectable) or use some other FTP that is configurable in this way.

I need a packet trace of a "silent-mode" (no login strings) or hacked
ftp session of this kind.

Any traces, pointers, info is appreciated!
-Donovan
__________________________ 
K. Donovan Tyler, MCSE 
Network Infrastructure Security 
McCombs School of Business, 
University of Texas at Austin 
CBA 1.324H B6003 
Austin, Texas 78712 
512-232-2754

public key # 0x221F92A7
at http://pgp.mit.edu/







More information about the Snort-sigs mailing list