Weird banner

Asadoorian, Paul D Paul_Asadoorian at
Wed Jan 29 13:09:04 GMT 2003

A machine in one of our dorms generates the following three snort rules
at a very rapid pace:

181 instances of FTP format string attempt
2652 instances of FTP wu-ftp file completion attempt
5258 instances of FTP command overflow attempt
11871 instances of FTP wu-ftp file completion attempt

The machine on campus listens on port 21 and machines from the Internet
connect to it and generate the above alerts.  When I connect to port 21
on the host I get the following:

$MyNick <snip> $Lock
?e/qZ93J.ZK7.w<LxE(EUk<4n+B_O&6>94jPh<UHnx%Othyon4hwDQJ:zIY@<BeEr at Zb@y)F
x3yM]hB'<@j]Yx0/.vwX1d Pk=R?szyT][b\j/\lKj|

The "<snip>" is what I think is the IRC users nickname.  I've searched
the web on a couple of different occacasions and could not figure out
what is going on. 

Any thoughts?


Paul Asadoorian
Brown University CIRT

More information about the unisog mailing list