On 2010/05/25 8:43 AM, Butturini, Russell wrote: > Curious if anyone else on the list has seen this. For the last two days, I > am seeing some bizarre looking buffer overflow attempts against one of my FTP > servers from an IP in Vietnam. The IPS is catching them as they're > triggering the FTP PASS Suspicious Length signature. They don't appear to be > happening on regular intervals, which makes me doubt automation, but I'm > curious if it's some kind of new zero day that's floating around. If it is > automated, this isn't the type of thing I've ever seen bots try before. I've > pasted a snippet of the IPS event below where the password is being sent. > Anybody else seen this? > > a: 0000 61 74 6f 72 0d 0a 50 41 53 53 20 31 71 61 32 77 ator..PASS 1qa2w > Data: 0010 73 33 65 64 34 72 66 35 74 67 36 79 68 37 75 6a s3ed4rf5tg6yh7uj > Data: 0020 38 69 6b 31 71 61 32 77 73 33 65 64 34 72 66 35 8ik1qa2ws3ed4rf5 > Data: 0030 74 67 36 79 68 37 75 6a 38 69 6b 0d 0a tg6yh7uj8ik..
You may have noticed this, but that password is just sequential characters from a US English keyboard layout - 1, then drop down to qa, then 2, drop down to ws, etc. I know plenty of people who use sequences like that for default passwords, although to be sure, they don't tend to go up as high as 8ik. :-) Maybe it's just somebody trying for default passwords. Mike _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
