Preface: FTP invalid PORT commandLogo -Internet Security Systems

FTP invalid PORT command
advICE :Intrusions : 2001301
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

This indicates an intrusion attempt against the FTP service. Few machines are vulnerable to this attack.

Details

A "PORT" command is part of the FTP protocol and is usually not seen by the user, though the user will often see status messages like "PORT command successful". It tells the other side of the connection where to send data. It should be formatted as a comma-separated list of 6 numbers. Example: 

	PORT 192,0,2,63,4,01
This above example tells the other side to transfer data on 192.0.2.63, port 1025. If this command has been corrupted, then it is likely that an attacker is attempting to compromise the FTP service. However, since most FTP services are no longer vulnerable to this attack, it is unlikely that a compromise has actually occurred.
 more information
advICE: FTP defense  
How to harden an FTP server against Internet attacks.  
advICE: FTP exploits  
A list of common ways that intruders break into FTP servers.  
NcFTPd remote buffer overflow  
The NcFTPd program contains a buffer overflow problem in its PORT command.  
More on NcFTPd buffer overflow  
 
advICE: Buffer overflows  
More about this general class of attacks, which is the root cause of many attacks on the Internet.  
BugtraqID: 271   BisonWare Multiple Vulnerabilities
Issuing "PORT a" followed by several thousand carriage returns will cause server to crash.  

 parametric information
resultIndicates the reply to the FTP command. See FTP reply codes 

 
Version appeared:
Privacy Policy |  Copyright Info