cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
575
Views
0
Helpful
3
Replies

5668/0, Unauthenticated FTP Connection

mhellman
Level 7
Level 7

So I have some internal application that is apparently issuing a PORT command with out authenticating first, causing this sig to fire. I'm trying to decide whether I care (does this have security implications or is this just another stupid app).

What is the purpose of the signature? Is there a particular vulnerability it attempts to detect? Is there some FTP server that allows the PORT command without authentication first?

3 Replies 3

wsulym
Cisco Employee
Cisco Employee

Yes, there are actually a couple vulnerable servers that allow that to happen.

It is exactly the port command issued to start the session. If the signature fires from a constant source or to a constant destinatio, I'd investigate at least so you know what it is and make your decision.

Thanks. Can you give me details on which ftp software is affected? I know in this case, the ftp daemon is not affected.

HP-UX had an issue with it's FTP daemon. That was what this was written for. Basically, the daemon allowed connections and directory listing retreival as user root ... unauthenticated. I seem to remmeber another, but can;t find it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: