Passive FTP Sessions within HTTP sessions

Gary Flynn flynngn at jmu.edu
Wed Jul 16 14:19:56 GMT 2003


Hi,

We have a signature in our Snort boxes to detect FTP sessions
on non-standard ports. This signature has started tripping on
web traffic and I don't think it was when I first installed it.

Regardless of whether or not it was previously tripping, I'm stumped
as to what would cause this type of traffic inside a HTTP session
and was wondering if anyone else had any ideas. It worries me because
it looks like a type of relay. Yet I haven't found any HTTP CONNECT
packets leading up to it nor anything else that rings any bells.

The packet below is typical. A web server sends a packet to a
client that appears to have a passive FTP session from a third
system embedded within it. I've seen these packets from all types
of web servers from all types of domains. In fact, I've seen
similar packets from mail servers sending to SMTP ports on what
appear to be other mail servers. FTP commands vary.

Any enlightenment on why and how I would see what appears to be
FTP sessions inside a HTTP or SMTP session would be greatly
appreciated!

134.126.10.60  = www.jmu.edu
24.49.35.144   = Local ISP
134.126.133.24 = A JMU FTP server

I've seen both on and offcampus systems used in all three
areas.

[**] FTP Server on non-standard port [**]
07/15-21:15:32.329059 134.126.10.60:80 -> 24.49.35.144:3776
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1500
***AP*** Seq: 0x321001AE  Ack: 0xBA7CD3FC  Win: 0xFAF0  TcpLen: 20
35 30 30 20 27 4D 41 43 42 20 45 27 3A 20 63 6F  500 'MACB E': co
6D 6D 61 6E 64 20 6E 6F 74 20 75 6E 64 65 72 73  mmand not unders
74 6F 6F 64 2E 0D 0A 32 30 30 20 54 79 70 65 20  tood...200 Type
73 65 74 20 74 6F 20 41 2E 0D 0A 32 35 30 20 43  set to A...250 C
57 44 20 63 6F 6D 6D 61 6E 64 20 73 75 63 63 65  WD command succe
73 73 66 75 6C 2E 0D 0A 32 32 37 20 45 6E 74 65  ssful...227 Ente
72 69 6E 67 20 50 61 73 73 69 76 65 20 4D 6F 64  ring Passive Mod
65 20 28 31 33 34 2C 31 32 36 2C 31 33 33 2C 32  e (134,126,133,2
32 34 2C 31 39 32 2C 32 29 0D 0A 31 35 30 20 4F  24,192,2)..150 O
70 65 6E 69 6E 67 20 41 53 43 49 49 20 6D 6F 64  pening ASCII mod
65 20 64 61 74 61 20 63 6F 6E 6E 65 63 74 69 6F  e data connectio
6E 20 66 6F 72 20 27 2F 62 69 6E 2F 6C 73 27 2E  n for '/bin/ls'.
0D 0A 32 32 36 20 54 72 61 6E 73 66 65 72 20 63  ..226 Transfer c
6F 6D 70 6C 65 74 65 2E 0D 0A 64 69 66 69 65 64  omplete...dified
2D 53 69 6E 63 65 3A 20 46 72 69 2C 20 30 31 20  -Since: Fri, 01
4E 6F 76 20 32 30 30 32 20 32 32 3A 30 37 3A 35  Nov 2002 22:07:5
39 20 47 4D 54 0D 0A 49 66 2D 4E 6F 6E 65 2D 4D  9 GMT..If-None-M
61 74 63 68 3A 20 22 32 66 36 37 30 2D 33 66 2D  atch: "2f670-3f-
33 64 63 32 66 62 33 66 22 0D 0A 55 73 65 72 2D  3dc2fb3f"..User-
41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34  Agent: Mozilla/4
2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20  .0 (compatible;
4D 53 49 45 20 35 2E 35 3B 20 57 69 6E 64 6F 77  MSIE 5.5; Window
73 20 39 38 29 0D 0A 48 6F 73 74 3A 20 61 6B 61  s 98)..Host: aka
2E 6C 61 6E 64 73 65 6E 64 2E 63 6F 6D 0D 0A 43  .landsend.com..C
6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D  onnection: Keep-
41 6C 69 76 65 0D 0A 0D 0A 47 45 54 20 2F 6C 65  Alive....GET /le
2F 69 6D 61 67 65 73 2F 6C 65 73 31 5F 73 69 64  /images/les1_sid
65 5F 63 75 72 76 65 5F 74 6F 70 2E 67 69 66 20  e_curve_top.gif
48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74  HTTP/1.1..Accept
3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20  : */*..Referer:
68 74 74 70 3A 2F 2F 77 77 77 2E 6C 61 6E 64 73  http://www.lands
65 6E 64 2E 63 6F 6D 2F 63 64 2F 69 6E 64 65 78  end.com/cd/index
2F 66 70 2F 30 2C 2C 37 35 35 33 2C 30 30 2E 68  /fp/0,,7553,00.h
74 6D 6C 3F 73 69 64 3D 30 35 32 34 30 30 31 31  tml?sid=05240011
39 38 38 39 33 31 39 34 30 30 30 0D 0A 41 63 63  98893194000..Acc
65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E  ept-Language: en
2D 75 73 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F  -us..Accept-Enco
64 69 6E 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C  ding: gzip, defl
61 74 65 0D 0A 49 66 2D 4D 6F 64 69 66 69 65 64  ate..If-Modified
2D 53 69 6E 63 65 3A 20 4D 6F 6E 2C 20 31 33 20  -Since: Mon, 13
4D 61 79 20 32 30 30 32 20 32 33 3A 34 34 3A 30  May 2002 23:44:0
38 20 47 4D 54 0D 0A 49 66 2D 4E 6F 6E 65 2D 4D  8 GMT..If-None-M
61 74 63 68 3A 20 22 32 36 33 38 2D 31 30 39 2D  atch: "2638-109-
33 63 65 30 34 66 63 38 22 0D 0A 55 73 65 72 2D  3ce04fc8"..User-
41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34  Agent: Mozilla/4
2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20  .0 (compatible;
4D 53 49 45 20 35 2E 35 3B 20 57 69 6E 64 6F 77  MSIE 5.5; Window
73 20 39 38 29 0D 0A 48 6F 73 74 3A 20 61 6B 61  s 98)..Host: aka
2E 6C 61 6E 64 73 65 6E 64 2E 63 6F 6D 0D 0A 43  .landsend.com..C
6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D  onnection: Keep-
41 6C 69 76 65 0D 0A 0D 0A BD 91 90 68 B3 7B BA  Alive.......h.{.
9E 2C AF 64 64 E8 E4 FD CC 06 CA 59 35 AE 2A 47  .,.dd......Y5.*G
4F D1 36 44 AD 8A 92 08 88 7F 47 17 51 0A 7F A2  O.6D......G.Q...
1F 2E 9A 91 BF 08 E8 85 D1 D1 D2 E3 A9 29 A8 28  .............).(





-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University



More information about the unisog mailing list