Printable View
uh, i'm such a noob.
something was reported on my IDS(snort).
1 instances of (spp_stream4) STEALTH ACTIVITY (SYN FIN scan) detection
it is coming from port 21 and goin to port 21 on my machine
would someone please tell me what the hell it is?
something like ftp bounce attack??
thx in advance
Someone is probably running something to the effect of
nmap -sF -g21 <your_ip>
First thing that you should notice that is wrong, is that the source port was the same as the port it was connecting to on your machine. There are very few protocols that function in this way and FTP is not one of them.
The second thing that was wrong is that your IDS saw no intial connection (syn), but saw the request come in from the person using a SYN-FIN flag (connection request with a finish request, which obviously doesn't make sense).
It is nothing other than a plain vanilla syn-fin port scan.
If you need me to explain a ftp bounce attack I can do so...
/nebulus
i asked for the ftp bounce attack 'cos there is something in my ftp server parameters
where i can disable server-server connections with the comment "e.g. ftp bounce attack"
if you would explain...:)
on disabling that would it block such scans (on ftp) ?
..and whats the thinking behind doin a syn-fin port-scan?
i was wondering 'cos the scanner uses redhat 9 as me,is there any exploit related to redhat and ftp-servers ?
(sry for my bad english ,sometimes i don't get the right words...)
An FTP bounce attack is where you use the FTP server to do the port scanning for you.
Because FTP is a unique protocol (you have a control port and a data port, assuming you allow active connections, with the client connecting to the server on the control port and the SERVER opening up the data port back to actually send the file), you can actually abuse how it was meant to work by connecting to the FTP server, then issuing a special command that instructs the FTP server to connect to an IP different from your own on a different port. You will then get a nice message back from the FTP server reporting if the port was open.
Why would you want to do that? Say you are able to FTP into a network that is protected by a firewall (and it isn't a very good firewall and hence allows this kind of activity). If you wanted to scan things behind that firewall (and potentially mask who you are as well as potentially bypass the firewall rules), you could connect to the FTP server and then send PORT requests to the FTP server to hit whatever IP/port you are interested in. It used to be a pretty stealthy way to scan; however, most, if not all, IDS systems pick this up quite easily now.
Here is a starting place to read about it: http://xforce.iss.net/xforce/xfdb/199
Now as far as the syn-fin scan goes, there really isn't that much you can do to stop it aside from making sure you are behind a stateful firewall (it will deny this since a syn-fin would be out of state).
Here is the man entry for nmap which indicates why you might want to run one:
/nebulusQuote:
-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There are
times when even SYN scanning isn't clandestine enough.
Some firewalls and packet filters watch for SYNs to
restricted ports, and programs like Synlogger and
Courtney are available to detect these scans. These
advanced scans, on the other hand, may be able to pass
through unmolested.
The idea is that closed ports are required to reply to
your probe packet with an RST, while open ports must
ignore the packets in question (see RFC 793 pp 64).
The FIN scan uses a bare (surprise) FIN packet as the
probe, while the Xmas tree scan turns on the FIN, URG,
and PUSH flags. The Null scan turns off all flags.
Unfortunately Microsoft (like usual) decided to com-
pletely ignore the standard and do things their own
way. Thus this scan type will not work against systems
running Windows95/NT. On the positive side, this is a
good way to distinguish between the two platforms. If
the scan finds open ports, you know the machine is not
a Windows box. If a -sF,-sX,or -sN scan shows all
ports closed, yet a SYN (-sS) scan shows ports being
opened, you are probably looking at a Windows box.
This is less useful now that nmap has proper OS detec-
tion built in. There are also a few other systems that
are broken in the same way Windows is. They include
Cisco, BSDI, HP/UX, MVS, and IRIX. All of the above
send resets from the open ports when they should just
drop the packet.
No. If it was an FTP bounce attack, it would be coming from port 20 (or perhaps a high port number). But not 21.Quote:
Slarty
BIG BIG thx. goin to read now.
greetz, stanger
i guess it has been related toQuote:
Originally posted here by stanger
i was wondering 'cos the scanner uses redhat 9 as me,is there any exploit related to redhat and ftp-servers ?
proftpd-standalone 1.2.8p-1 ProFTP server security fix
cya...