>(192,168,1,9,4,14)
4*256+14= 1038
nothing curious in this "probe"
just a passive mode connection from the client to your server _after_ he
requested the server to go to passive mode with this command
>[2] Tue 04Feb03 10:21:25 - (000001) PASV
and your server responded that the client should the data connection
connect to him on port 1038.
>[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode
>(192,168,1,9,4,14)
Your NAT should provide fixup for the address 192.168.1.9 and port 1038
and a permit and translation for the later incomming connection. If it
doesn't it's plain broken NAT.
Best regards,
Boyan Krosnov
http://boyan.ludost.net/
just another techie speaking for himself
-----Original Message-----
From: Hoof Hearted [mailto:capbligh2001 (at) hotmail (dot) com [email concealed]]
Sent: Tuesday, February 04, 2003 8:50 PM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: FTP/Port 1038
Hi All
At 10:21 GMT today we had an incidence of an ftp user accessing a ServU
(Version 2.5f) server through a NAT. A few seconds later the firewall
noted
an inbound 'probe' on port 1038 (to the w/s - this port is not in the
NAT)
The workstation firewall picked up as follows:
>2003/02/04 10:21:26 203.198.145.93:6718 (mail.hyprint.com)
>192.168.1.9:1038
>Port 1038 (TCP)
The ftp logs show:
>[5] Tue 04Feb03 06:20:20 - (000007) Connected to 199.18.36.14 (Local
>address 192.168.1.9)
>[6] Tue 04Feb03 06:20:20 - (000007) 220 Serv-U FTP-Server v2.5f for
WinSock
>ready...
>[2] Tue 04Feb03 06:20:20 - (000007) USER anonymous
>[6] Tue 04Feb03 06:20:20 - (000007) 331 User name okay, please send
>complete E-mail address as password.
>[2] Tue 04Feb03 06:20:21 - (000007) PASS Ngpuser (at) home (dot) com [email concealed]
>[5] Tue 04Feb03 06:20:21 - (000007) ANONYMOUS logged in, password:
>NGPUSER (at) HOME (dot) COM [email concealed]
>[6] Tue 04Feb03 06:20:21 - (000007) 230 User logged in, proceed.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub: No such file or
directory.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /public/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /public: No such file or
directory.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/incoming/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub/incoming: No such file or
>directory.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /incoming/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /incoming: No such file or
>directory.
>[2] Tue 04Feb03 06:20:22 - (000007) CWD /_vti_pvt/
>[6] Tue 04Feb03 06:20:22 - (000007) 550 /_vti_pvt: No such file or
>directory.
>[2] Tue 04Feb03 06:20:22 - (000007) CWD /
>[6] Tue 04Feb03 06:20:22 - (000007) 250 Directory changed to /
>[2] Tue 04Feb03 06:20:22 - (000007) MKD 030204011853p
>[6] Tue 04Feb03 06:20:22 - (000007) 550 /030204011853p: Permission
denied.
>[2] Tue 04Feb03 06:20:22 - (000007) CWD /upload/
>[6] Tue 04Feb03 06:20:22 - (000007) 550 /upload: No such file or
directory.
>[5] Tue 04Feb03 06:20:22 - (000007) Closing connection for user
ANONYMOUS
>(00:00:02 connected)
>[5] Tue 04Feb03 07:18:07 - (000008) Connected to 196.1.95.197 (Local
>address 192.168.1.9)
>[6] Tue 04Feb03 07:18:07 - (000008) 220 Serv-U FTP-Server v2.5f for
WinSock
>ready...
>[5] Tue 04Feb03 07:18:07 - (000008) Closing connection
>[1] Tue 04Feb03 10:06:39 - FTP server going down...
>[1] Tue 04Feb03 10:16:03 - Starting FTP Server... (Version 2.5f
(32-bit))
>[5] Tue 04Feb03 10:21:20 - (000001) Connected to 203.198.145.93 (Local
>address 192.168.1.9)
>[6] Tue 04Feb03 10:21:20 - (000001) 220 Serv-U FTP-Server v2.5f for
WinSock
>ready...
>[5] Tue 04Feb03 10:21:20 - (000001) IP-Name: MAIL.HYPRINT.COM
>[2] Tue 04Feb03 10:21:21 - (000001) USER anonymous
>[6] Tue 04Feb03 10:21:21 - (000001) 331 User name okay, please send
>complete E-mail address as password.
>[2] Tue 04Feb03 10:21:21 - (000001) PASS ano (at) ano (dot) com [email concealed]
>[5] Tue 04Feb03 10:21:21 - (000001) ANONYMOUS logged in, password:
>ANO (at) ANO (dot) COM [email concealed]
>[6] Tue 04Feb03 10:21:21 - (000001) 230 User logged in, proceed.
>[2] Tue 04Feb03 10:21:22 - (000001) TYPE I
>[6] Tue 04Feb03 10:21:22 - (000001) 200 Type set to I.
>[2] Tue 04Feb03 10:21:22 - (000001) STRU F
>[6] Tue 04Feb03 10:21:22 - (000001) 200 STRU F ok.
>[2] Tue 04Feb03 10:21:22 - (000001) MODE S
>[6] Tue 04Feb03 10:21:22 - (000001) 200 MODE S ok.
>[2] Tue 04Feb03 10:21:23 - (000001) REST 0
>[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 0 - send STORE or
>RETRIEVE to initiate transfer.
>[2] Tue 04Feb03 10:21:23 - (000001) REST 1
>[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 1 - send STORE or
>RETRIEVE to initiate transfer.
>[2] Tue 04Feb03 10:21:24 - (000001) REST 0
>[6] Tue 04Feb03 10:21:24 - (000001) 350 Restarting at 0 - send STORE or
A cursory investigation noted that the 'probe' (allegedly from
mail.hyprint.com) came from a machine that thinks it's
mail.hyprint.com.hk
(seemingly no connection to hyprint.com who have a very different MX
config)
I might, at a push, believe this is a new user with a very open box,
except,
the box seems to be a W2K advanced server with M$ Exchange 2000 and DNS
set
up (alongside, RAdmin, ServUFTP 2.5j etc etc.) all running (apparently)
behind a Linksys router (ip +8080).
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
>(192,168,1,9,4,14)
4*256+14= 1038
nothing curious in this "probe"
just a passive mode connection from the client to your server _after_ he
requested the server to go to passive mode with this command
>[2] Tue 04Feb03 10:21:25 - (000001) PASV
and your server responded that the client should the data connection
connect to him on port 1038.
>[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode
>(192,168,1,9,4,14)
Your NAT should provide fixup for the address 192.168.1.9 and port 1038
and a permit and translation for the later incomming connection. If it
doesn't it's plain broken NAT.
Best regards,
Boyan Krosnov
http://boyan.ludost.net/
just another techie speaking for himself
-----Original Message-----
From: Hoof Hearted [mailto:capbligh2001 (at) hotmail (dot) com [email concealed]]
Sent: Tuesday, February 04, 2003 8:50 PM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: FTP/Port 1038
Hi All
At 10:21 GMT today we had an incidence of an ftp user accessing a ServU
(Version 2.5f) server through a NAT. A few seconds later the firewall
noted
an inbound 'probe' on port 1038 (to the w/s - this port is not in the
NAT)
The workstation firewall picked up as follows:
>2003/02/04 10:21:26 203.198.145.93:6718 (mail.hyprint.com)
>192.168.1.9:1038
>Port 1038 (TCP)
The ftp logs show:
>[5] Tue 04Feb03 06:20:20 - (000007) Connected to 199.18.36.14 (Local
>address 192.168.1.9)
>[6] Tue 04Feb03 06:20:20 - (000007) 220 Serv-U FTP-Server v2.5f for
WinSock
>ready...
>[2] Tue 04Feb03 06:20:20 - (000007) USER anonymous
>[6] Tue 04Feb03 06:20:20 - (000007) 331 User name okay, please send
>complete E-mail address as password.
>[2] Tue 04Feb03 06:20:21 - (000007) PASS Ngpuser (at) home (dot) com [email concealed]
>[5] Tue 04Feb03 06:20:21 - (000007) ANONYMOUS logged in, password:
>NGPUSER (at) HOME (dot) COM [email concealed]
>[6] Tue 04Feb03 06:20:21 - (000007) 230 User logged in, proceed.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub: No such file or
directory.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /public/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /public: No such file or
directory.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /pub/incoming/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /pub/incoming: No such file or
>directory.
>[2] Tue 04Feb03 06:20:21 - (000007) CWD /incoming/
>[6] Tue 04Feb03 06:20:21 - (000007) 550 /incoming: No such file or
>directory.
>[2] Tue 04Feb03 06:20:22 - (000007) CWD /_vti_pvt/
>[6] Tue 04Feb03 06:20:22 - (000007) 550 /_vti_pvt: No such file or
>directory.
>[2] Tue 04Feb03 06:20:22 - (000007) CWD /
>[6] Tue 04Feb03 06:20:22 - (000007) 250 Directory changed to /
>[2] Tue 04Feb03 06:20:22 - (000007) MKD 030204011853p
>[6] Tue 04Feb03 06:20:22 - (000007) 550 /030204011853p: Permission
denied.
>[2] Tue 04Feb03 06:20:22 - (000007) CWD /upload/
>[6] Tue 04Feb03 06:20:22 - (000007) 550 /upload: No such file or
directory.
>[5] Tue 04Feb03 06:20:22 - (000007) Closing connection for user
ANONYMOUS
>(00:00:02 connected)
>[5] Tue 04Feb03 07:18:07 - (000008) Connected to 196.1.95.197 (Local
>address 192.168.1.9)
>[6] Tue 04Feb03 07:18:07 - (000008) 220 Serv-U FTP-Server v2.5f for
WinSock
>ready...
>[5] Tue 04Feb03 07:18:07 - (000008) Closing connection
>[1] Tue 04Feb03 10:06:39 - FTP server going down...
>[1] Tue 04Feb03 10:16:03 - Starting FTP Server... (Version 2.5f
(32-bit))
>[5] Tue 04Feb03 10:21:20 - (000001) Connected to 203.198.145.93 (Local
>address 192.168.1.9)
>[6] Tue 04Feb03 10:21:20 - (000001) 220 Serv-U FTP-Server v2.5f for
WinSock
>ready...
>[5] Tue 04Feb03 10:21:20 - (000001) IP-Name: MAIL.HYPRINT.COM
>[2] Tue 04Feb03 10:21:21 - (000001) USER anonymous
>[6] Tue 04Feb03 10:21:21 - (000001) 331 User name okay, please send
>complete E-mail address as password.
>[2] Tue 04Feb03 10:21:21 - (000001) PASS ano (at) ano (dot) com [email concealed]
>[5] Tue 04Feb03 10:21:21 - (000001) ANONYMOUS logged in, password:
>ANO (at) ANO (dot) COM [email concealed]
>[6] Tue 04Feb03 10:21:21 - (000001) 230 User logged in, proceed.
>[2] Tue 04Feb03 10:21:22 - (000001) TYPE I
>[6] Tue 04Feb03 10:21:22 - (000001) 200 Type set to I.
>[2] Tue 04Feb03 10:21:22 - (000001) STRU F
>[6] Tue 04Feb03 10:21:22 - (000001) 200 STRU F ok.
>[2] Tue 04Feb03 10:21:22 - (000001) MODE S
>[6] Tue 04Feb03 10:21:22 - (000001) 200 MODE S ok.
>[2] Tue 04Feb03 10:21:23 - (000001) REST 0
>[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 0 - send STORE or
>RETRIEVE to initiate transfer.
>[2] Tue 04Feb03 10:21:23 - (000001) REST 1
>[6] Tue 04Feb03 10:21:23 - (000001) 350 Restarting at 1 - send STORE or
>RETRIEVE to initiate transfer.
>[2] Tue 04Feb03 10:21:24 - (000001) REST 0
>[6] Tue 04Feb03 10:21:24 - (000001) 350 Restarting at 0 - send STORE or
>RETRIEVE to initiate transfer.
>[2] Tue 04Feb03 10:21:24 - (000001) SYST
>[6] Tue 04Feb03 10:21:24 - (000001) 215 UNIX Type: L8
>[2] Tue 04Feb03 10:21:25 - (000001) PASV
>[6] Tue 04Feb03 10:21:25 - (000001) 227 Entering Passive Mode
>(192,168,1,9,4,14)
>[5] Tue 04Feb03 10:22:06 - (000001) Closing connection for user
ANONYMOUS
>(00:00:46 connected)
A cursory investigation noted that the 'probe' (allegedly from
mail.hyprint.com) came from a machine that thinks it's
mail.hyprint.com.hk
(seemingly no connection to hyprint.com who have a very different MX
config)
I might, at a push, believe this is a new user with a very open box,
except,
the box seems to be a W2K advanced server with M$ Exchange 2000 and DNS
set
up (alongside, RAdmin, ServUFTP 2.5j etc etc.) all running (apparently)
behind a Linksys router (ip +8080).
Anyway - there's the heads up. :)
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]