From owner-freebsd-questions Fri Jan 17 7: 2:53 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6E2737B401 for ; Fri, 17 Jan 2003 07:02:51 -0800 (PST) Received: from mail.adelphia.net (pa-plum1b-166.pit.adelphia.net [24.53.161.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7E0D43F3F for ; Fri, 17 Jan 2003 07:02:50 -0800 (PST) (envelope-from wmoran@potentialtech.com) Received: from potentialtech.com ([172.16.0.95]) by mail.adelphia.net (8.12.3/8.12.3) with ESMTP id h0HF3wAg007555; Fri, 17 Jan 2003 10:03:59 -0500 (EST) (envelope-from wmoran@potentialtech.com) Message-ID: <3E281AD7.6090807@potentialtech.com> Date: Fri, 17 Jan 2003 10:01:43 -0500 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021127 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jim Freeze Cc: FreeBSD Questions Subject: Re: Possible attack? References: <20030117093453.A9304@freeze.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jim Freeze wrote: > Hi: > > I got an interesting log report today. > Has anyone seen such messages lately? > > Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000 > Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM > p5089A961.dip.t-dialin.net > Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM > p5089A961.dip.t-dialin.net > Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME > Content-Disposition header due to > field size (length = 25) (possible attack) > Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM > pD9E60C0F.dip.t-dialin.net > Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM > pD9E60C0F.dip.t-dialin.net > Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME > Content-Disposition header due to > field size (length = 22) (possible attack) I've seen the "anonymous FTP denied" off and on. I think that some folks just randomly attempt to connect to any FTP server they find in the hopes that there's cool stuff there. The sm-mta Truncaded MIME stuff isn't familiar to me, and it doesn't actually seem related (compare the times). Could be someone with a broken mailer? or some sort of bogus MIME header that facilitates the propagation of some worm? It's probably a cheesy attempt at an "attack". But it's not blatent enough to do much more than note it in case something more serious goes wrong. If you don't have any clients that should be connecting from Deutsche TeleKom, you can just firewall off that whole subnet. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message