[nsp-sec] NACK for AS217 Re: 12k probably compromised FTP accounts
Florian Weimer
fweimer at bfk.de
Fri Apr 4 13:10:08 EDT 2008
* Brian Eckman:
> Any username that is provided to the server (including 'ftp') is treated
> as the anonymous user - any password works. So it isn't a "compromised
> account" (thus the NACK).
I think the data comes from a login interception, and without
verification (that is, login using the stolen credentials, a no-no
from our perspective), it's hard to tell what type of account it is.
So anonymous FTP logins for upload queues etc. end up in the list as
false positives.
(Just returning from travel, haven't talked about this with the rest
of the team. 8-)
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list