[Snort-users] FTP command overflow attempt help

Tyler Owen t.l.owen at ...4552...
Wed Dec 11 09:20:17 EST 2002


We are receiving a very large number of alerts triggering the "FTP
command overflow attempt" alerts.  These alerts are coming from two
address ranges in Italy.  Well that is not really odd by itself but what
I am really confused on is the traffic. (see below for snippet) 

They are logging into the machine via Anonymous FTP using a password of
ics at ...7726... and then issuing the PORT command 5 times per packet. 
And it appears to be random how many times that they do issue the
command.  The source IPs change but are always from either
213.140.0.0/16 or 213.156.0.0/16

I am at a loss for what is going on.  In researching valid traffic I
never saw two PORT commands back to back, so is this an attempted DOS or
what??

Any info would be very helpful!!  I am sorry if this is not the correct
avenue for this but I wasn't sure where to seek help.


Thanks,
Tyler

<DEMARC ALERT SUMMARY>
2002-12-11 04:48:15   SID:3 CID:518383
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
__________________________________________________________________
2002-12-11 04:48:07   SID:3 CID:518380
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
__________________________________________________________________
2002-12-11 04:47:59   SID:3 CID:518379
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
__________________________________________________________________
2002-12-11 04:47:51   SID:3 CID:518377
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
 
</DEMARC ALERT SUMMARY>

<ASCII traffic decode>

220 techreports.larc.nasa.gov FTP server ready.
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS ics at ...7726...
230 Guest login ok, access restrictions apply.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,193,253
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,24,243
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.

</ASCII traffic decode>





More information about the Snort-users mailing list