Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Sigma rule (View on GitHub)
1title: Suspicious VSFTPD Error Messages
2id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
3status: test
4description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
5references:
6 - https://github.com/dagwieers/vsftpd/
7author: Florian Roth (Nextron Systems)
8date: 2017-07-05
9modified: 2021-11-27
10tags:
11 - attack.initial-access
12 - attack.t1190
13logsource:
14 product: linux
15 service: vsftpd
16detection:
17 keywords:
18 - 'Connection refused: too many sessions for this address.'
19 - 'Connection refused: tcp_wrappers denial.'
20 - 'Bad HTTP verb.'
21 - 'port and pasv both active'
22 - 'pasv and port both active'
23 - 'Transfer done (but failed to open directory).'
24 - 'Could not set file modification time.'
25 - 'bug: pid active in ptrace_sandbox_free'
26 - 'PTRACE_SETOPTIONS failure'
27 - 'weird status:'
28 - 'couldn''t handle sandbox event'
29 - 'syscall * out of bounds'
30 - 'syscall not permitted:'
31 - 'syscall validate failed:'
32 - 'Input line too long.'
33 - 'poor buffer accounting in str_netfd_alloc'
34 - 'vsf_sysutil_read_loop'
35 condition: keywords
36falsepositives:
37 - Unknown
38level: medium
References
-
Unofficial vsftpd source tree (since there doesn't seem to be an official public versioning system ?) - dagwieers/vsftpd
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations