Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
34 lines (32 sloc) 1.11 KB
title: Suspicious VSFTPD Error Messages
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/dagwieers/vsftpd/
author: Florian Roth
date: 2017/07/05
logsource:
product: linux
service: vsftpd
detection:
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- 'Bad HTTP verb.'
- 'port and pasv both active'
- 'pasv and port both active'
- 'Transfer done (but failed to open directory).'
- 'Could not set file modification time.'
- 'bug: pid active in ptrace_sandbox_free'
- 'PTRACE_SETOPTIONS failure'
- 'weird status:'
- "couldn't handle sandbox event"
- 'syscall * out of bounds'
- 'syscall not permitted:'
- 'syscall validate failed:'
- 'Input line too long.'
- 'poor buffer accounting in str_netfd_alloc'
- 'vsf_sysutil_read_loop'
condition: keywords
falsepositives:
- Unknown
level: medium