I have received an occurrence of the event "Privileged port attack enabled on FTP server".
Reading the information from the Vulnerability Info tab, it says "The FTP service specification allows passive connections to be established based on the port address given by the client. This configuration can allow attackers to execute destructive commands using the FTP service. The problem occurs when the FTP service connects using a port other than FTP Data port (port 20) and the port number is less than IP_PORT_RESERVED (ports less than 1024)." The details tab shows the Source Port to be 4384 and the target port 21. The attributes tab gives the source and destination ethernet addresses and the following additional attributes: :TARGETIP (shows a different address than either the source or the target address); :TARGETPORT of 227; :CMD of PORT 207,46,133,140,1,21. How do I interpret this information? The information on the attack says "An FTP bounce against a privileged port always indicates a malicious attempt to attack a network" but I would like to know what the information is telling me so I can make that determination. The above information is provided by Site Protector and a network sensor running on a Nokia appliance. Thanks Dan Wangler, GCIA, IT Security Administrator IT Security Response Team, Texas Instruments, Inc. Spring Creek Bldg 1, C196 6500 Chase Oaks Blvd, MS 8417, Plano, Texas, 75023 Tel #: 214-567-8304; Email: [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
