[Snort-users] FTP command overflow attempt help

Hicks, John JHicks at ...5857...
Wed Dec 11 10:12:06 EST 2002


The actual port requested looks to be 62010 ((242*256)+58) which would fit
for an ephemeral FTP data connection.

The only thing that makes me curious is the fact that the Alerts don't look
like the same FTP traffic as the log itself. If the user shown the the
actual FTP logs isn't originating from 213.140.9.152, then you may be
experiencing an FTP bounce attack. Since you mentioned subnet*s*, I'll
assume they all look the same, so this could be a recon effort to identify
passive capable FTP servers.

I found a decent explanation on FTP command types here:
http://slacksite.com/other/ftp.html
More info on FTP Port command attacks can be found here:
http://www.cert.org/tech_tips/ftp_port_attacks.html

hth,
John Hicks

-----Original Message-----
From: Tyler Owen [mailto:t.l.owen at ...4552...]
Sent: Wednesday, December 11, 2002 12:14 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] FTP command overflow attempt help



We are receiving a very large number of alerts triggering the "FTP
command overflow attempt" alerts.  These alerts are coming from two
address ranges in Italy.  Well that is not really odd by itself but what
I am really confused on is the traffic. (see below for snippet) 

They are logging into the machine via Anonymous FTP using a password of
ics at ...7726... and then issuing the PORT command 5 times per packet. 
And it appears to be random how many times that they do issue the
command.  The source IPs change but are always from either
213.140.0.0/16 or 213.156.0.0/16

I am at a loss for what is going on.  In researching valid traffic I
never saw two PORT commands back to back, so is this an attempted DOS or
what??

Any info would be very helpful!!  I am sorry if this is not the correct
avenue for this but I wasn't sure where to seek help.


Thanks,
Tyler

<DEMARC ALERT SUMMARY>
2002-12-11 04:48:15   SID:3 CID:518383
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
__________________________________________________________________
2002-12-11 04:48:07   SID:3 CID:518380
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
__________________________________________________________________
2002-12-11 04:47:59   SID:3 CID:518379
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
__________________________________________________________________
2002-12-11 04:47:51   SID:3 CID:518377
FTP command overflow attempt
[TCP] 213.140.12.218:3483 ->  128.155.200.90:21
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A 50 4F 52 54   218,242,58.PORT
20 32 31 33 2C 31 34 30 2C 31 32 2C 32 31 38 2C    213,140,12,218,
32 34 32 2C 35 38 0D 0A 50 4F 52 54 20 32 31 33   242,58.PORT 213
2C 31 34 30 2C 31 32 2C 32 31 38 2C 32 34 32 2C   ,140,12,218,242,
35 38 0D 0A 50 4F 52 54 20 32 31 33 2C 31 34 30   58.PORT 213,140
2C 31 32 2C 32 31 38 2C 32 34 32 2C 35 38 0D 0A   ,12,218,242,58.
50 4F 52 54 20 32 31 33 2C 31 34 30 2C 31 32 2C   PORT 213,140,12,
32 31 38 2C 32 34 32 2C 35 38 0D 0A               218,242,58
 
</DEMARC ALERT SUMMARY>

<ASCII traffic decode>

220 techreports.larc.nasa.gov FTP server ready.
USER anonymous
331 Guest login ok, send your complete e-mail address as password.
PASS ics at ...7726...
230 Guest login ok, access restrictions apply.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,193,253
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,24,243
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.
PORT 213,140,9,152,66,11
200 PORT command successful.

</ASCII traffic decode>



-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list