From owner-freebsd-security Sat Apr 5 10:39:01 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA21399 for security-outgoing; Sat, 5 Apr 1997 10:39:01 -0800 (PST) Received: from postoffice.cso.uiuc.edu (postoffice.cso.uiuc.edu [128.174.5.11]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA21376; Sat, 5 Apr 1997 10:38:55 -0800 (PST) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by postoffice.cso.uiuc.edu (8.8.5/8.8.5) with SMTP id MAA212288; Sat, 5 Apr 1997 12:38:53 -0600 Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) id MAA28007; Sat, 5 Apr 1997 12:38:40 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199704051838.MAA28007@alecto.physics.uiuc.edu> Subject: Is it an attempt to use some wu-ftpd exploit ? To: gpalmer@freebsd.org (Gary Palmer) Date: Sat, 5 Apr 1997 12:38:40 -0600 (CST) Cc: james@nexis.net, freebsd-isp@freebsd.org, freebsd-security@freebsd.org In-Reply-To: <10330.860218456@orion.webspan.net> from "Gary Palmer" at Apr 5, 97 00:34:16 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello! I am not sure, I might have missed some message about such an exploit, but recently I've noticed in the syslog that people are trying to "scan" ports using ftp. I am running Version wu-2.4.2-academ[BETA-12](2) (I compiled it on Feb 2, 1997) The message I see in the syslog is of the following type: ftpd[3313]: refused PORT 0,3451 from tba-40.tba.com.br And, the port number can be a different number, I believe in the range 1xxx-4xxx ir even 5xxx Any idea ? Thanks! I did not have time to look into the source code yet, but may be somebody can advise me what are the possible situations when such message is generated. IgoR