From owner-freebsd-security  Sun Nov 25 12: 0:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail9.wlv.netzero.net (mail9.wlv.netzero.net [209.247.163.66])
	by hub.freebsd.org (Postfix) with SMTP id 2944F37B41A
	for <freebsd-security@freebsd.org>; Sun, 25 Nov 2001 12:00:39 -0800 (PST)
Received: (qmail 13143 invoked from network); 25 Nov 2001 20:00:37 -0000
Received: from ppp-65-91-243-213.mclass.broadwing.net (HELO musicstudio) (65.91.243.213)
  by mail9.wlv.netzero.net with SMTP; 25 Nov 2001 20:00:37 -0000
Message-ID: <03e501c175ec$19332b40$d5f35b41@musicstudio>
From: "Kevin & Anita Kinsey" <k_a_kinsey@netzero.net>
To: <freebsd-security@freebsd.org>
Subject: analysis of attack ??
Date: Sun, 25 Nov 2001 14:02:21 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_03E2_01C175B9.CD39C780"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2615.200
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.

------=_NextPart_000_03E2_01C175B9.CD39C780
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

A hobbyist (me) recently set up a FreeBSD box for a friend's SOHO.  It =
serves as MTA, WWW, and FTP (for webpage upload) server, and sits behind =
a NAT-ting router, which passes ftp/www/smtp traffic to appropriate =
ports (under 'ideal' conditions, anyway). =20

During a recent visit [after too long an absence] I discovered his =
bandwidth was totally eaten up (ping>2 seconds to upstream server) and =
the cause was this box.  Unusually named files appeared in =
/var/ftp/pub/pub, and /etc/group showed that guest had root privileges.  =
I removed the machine from the net promptly and began wiping the disk =
for a reinstall. =20

Questions:
*Does the fact that the files were in the public ftp directory mean that =
Mr. Badguy came in via anonymous FTP, or did he sniff a user password =
floating unencrypted over the 'Net?

*What should I do if/when (God forbid) this happens again to give me =
(you?) more to analyze.....?

*Is there a better way [than FTP] to have his 'webmaster' (page =
designer) upload pages to the site?

*I realize I'm probably a total idiot who doesn't deserve a root pw, but =
please don't hit me too hard, the last 'friend' he had gave him no mail =
service at all and had anonymous FTP login default to /wwwroot on his =
IIS server.  (Thanks, Nimda....)

Kevin Kinsey

------=_NextPart_000_03E2_01C175B9.CD39C780
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>A&nbsp;hobbyist (me) recently set up a =
FreeBSD box=20
for a friend's SOHO.&nbsp; It&nbsp;serves as MTA, WWW, and FTP (for =
webpage=20
upload)&nbsp;server, and sits behind a NAT-ting router, which passes=20
ftp/www/smtp traffic to&nbsp;appropriate ports (under 'ideal' =
conditions,=20
anyway).&nbsp; </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>During a recent visit [after too long =
an=20
absence]&nbsp;I discovered&nbsp;his bandwidth was&nbsp;totally eaten up=20
(ping&gt;2 seconds to upstream server) and the cause was this box.&nbsp; =

Unusually named files appeared in /var/ftp/pub/pub, and /etc/group =
showed that=20
guest had root privileges.&nbsp; I removed the machine from the net =
promptly and=20
began wiping the disk for a reinstall.&nbsp;&nbsp;</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Questions:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>*Does the fact that the files were in =
the public=20
ftp directory mean that Mr. Badguy came in via anonymous FTP, or did he =
sniff a=20
user password floating unencrypted over the 'Net?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>*What should I do if/when (God forbid) =
this happens=20
again to give me (you?) more to analyze.....?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>*Is there a better way [than FTP] to =
have&nbsp;his=20
'webmaster' (page designer)&nbsp;upload pages to the site?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>*I realize I'm probably a total idiot =
who doesn't=20
deserve a root pw, but please don't hit me too hard, the last 'friend' =
he had=20
gave him no mail service at all and had&nbsp;anonymous FTP login default =
to=20
/wwwroot on his IIS server.&nbsp; (Thanks, Nimda....)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Kevin Kinsey</FONT></DIV></BODY></HTML>

------=_NextPart_000_03E2_01C175B9.CD39C780--

----------------------------------------------------
Sign Up for NetZero Platinum Today
Only $9.95 per month!
http://my.netzero.net/s/signup?r=platinum&refcd=PT97

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message