Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Jan 2003 10:01:43 -0500
From:      Bill Moran <wmoran@potentialtech.com>
To:        Jim Freeze <jim@freeze.org>
Cc:        FreeBSD Questions <FreeBSD-questions@FreeBSD.org>
Subject:   Re: Possible attack?
Message-ID:  <3E281AD7.6090807@potentialtech.com>
References:  <20030117093453.A9304@freeze.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Jim Freeze wrote:
> Hi:
> 
> I got an interesting log report today. 
> Has anyone seen such messages lately?
> 
> Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000
> Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM
>   p5089A961.dip.t-dialin.net
> Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM
>   p5089A961.dip.t-dialin.net
> Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME
>   Content-Disposition header due to
>  field size (length = 25) (possible attack)
> Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM
>  pD9E60C0F.dip.t-dialin.net
> Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM
>  pD9E60C0F.dip.t-dialin.net
> Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME
>  Content-Disposition header due to
>   field size (length = 22) (possible attack)

I've seen the "anonymous FTP denied" off and on.  I think that some folks
just randomly attempt to connect to any FTP server they find in the
hopes that there's cool stuff there.
The sm-mta Truncaded MIME stuff isn't familiar to me, and it doesn't
actually seem related (compare the times).  Could be someone with a
broken mailer? or some sort of bogus MIME header that facilitates
the propagation of some worm?
It's probably a cheesy attempt at an "attack".  But it's not blatent
enough to do much more than note it in case something more serious
goes wrong.  If you don't have any clients that should be connecting
from Deutsche TeleKom, you can just firewall off that whole subnet.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E281AD7.6090807>