From owner-freebsd-isp@FreeBSD.ORG Sat Jan 3 17:27:34 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1731C16A4CE for ; Sat, 3 Jan 2004 17:27:34 -0800 (PST) Received: from lobo.ewinter.org (lobo.ewinter.org [194.221.32.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CC4543D54 for ; Sat, 3 Jan 2004 17:27:32 -0800 (PST) (envelope-from jhs@berklix.org) Received: from lobo.ewinter.org (localhost.ewinter.org [127.0.0.1]) by lobo.ewinter.org (8.12.9p1/8.12.9) with ESMTP id i041RRaZ006667; Sun, 4 Jan 2004 02:27:27 +0100 (CET) (envelope-from jhs@lobo.ewinter.org) Received: (from jhs@localhost) by lobo.ewinter.org (8.12.9p1/8.12.6/Submit) id i041RG9q006665; Sun, 4 Jan 2004 02:27:16 +0100 (CET) Date: Sun, 4 Jan 2004 02:27:16 +0100 (CET) Message-Id: <200401040127.i041RG9q006665@lobo.ewinter.org> To: freebsd-isp@freebsd.org From: "Julian Stacey" Organization: http://berklix.com/~jhs/ Fcc: sent-mail User-agent: EXMH http://beedub.com/exmh/ on FreeBSD http://freebsd.org cc: ewinter@ewinter.org cc: Norbert Poellmann Subject: ftpd -r insufficient to protect from writing X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2004 01:27:34 -0000 Hi freebsd-isp@freebsd.org people Has anyone seen systems running with an inetd.conf entry of ftpd -l -r where crackers get in & write quantities of crap in pub/ ? I saw similar maybe 6 months ago, & again recently on another machine. I'm not sure then if I had -r. Again not quite sure if I had a previous "-r" on the latest attacked host, (a co-admin got in before me & turned access off, so not certain of precise original parameters to ftpd) Is the standard libexec/ftpd considered insecure ? Should one be running something else, EG /usr/ports/ftp/lukemftpd ? - Julian Stacey. Unix C & Net Services Consultant - Munich. http://berklix.com Mail in Ascii/ plain text: HTML is Spam dumped. Schnupftabak probieren: Ihr Rauchen = mein allergischer Kopfschmerz ! Software patents: Vampires would approve: http://berklix.com/jhs/patents From owner-freebsd-isp@FreeBSD.ORG Sat Jan 3 20:56:04 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48EC716A4CE for ; Sat, 3 Jan 2004 20:56:04 -0800 (PST) Received: from mx1.purplecat.net (mx1.purplecat.net [12.150.157.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FAA443D31 for ; Sat, 3 Jan 2004 20:56:02 -0800 (PST) (envelope-from pbrezny@purplecat.net) Received: (qmail 95130 invoked by uid 89); 4 Jan 2004 04:56:00 -0000 Received: from highland.purplecat.net (HELO insp) (12.150.157.66) by mx1.purplecat.net with SMTP; 4 Jan 2004 04:56:00 -0000 From: "Peter Brezny" To: Date: Sat, 3 Jan 2004 23:57:56 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: mod_frontpage vulnerability? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2004 04:56:04 -0000 Greetings, I wanted to know if any of you have experienced recent problems running mod_frontpage. Last week, one of the systems I am running mod_front page on stopped allowing front page logins. I wasn't able to pinpoint the problem, however, re-installing mod_frontpage fixed the problem. I'm running a fairly current build: 4.8-RELEASE-p14 #9: Wed Dec 31 17:15:23 EST 2003 Apache/1.3.28 (Unix) mod_perl/1.27 FrontPage/5.0.2.2623 PHP/4.3.4RC1 mod_ssl/ 2.8.15 OpenSSL/0.9.7a I get a lot of error messages in the primary httpd_error.log: [2004-01-03 23:24:46]: uid: (nobody/nobody) gid: (nobody/nobody) cmd: /_vti_bin/fpcount.exe If anyone's got some insight on what may be going on, or tips for further securing mod_front page, I'd be grateful. TIA pb Peter Brezny purplecat.net From owner-freebsd-isp@FreeBSD.ORG Sat Jan 3 22:31:15 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05A0D16A4CE for ; Sat, 3 Jan 2004 22:31:15 -0800 (PST) Received: from bsdhosting.net (bsdhosting.net [65.39.221.113]) by mx1.FreeBSD.org (Postfix) with SMTP id DDDE643D5A for ; Sat, 3 Jan 2004 22:31:13 -0800 (PST) (envelope-from jhopper@bsdhosting.net) Received: (qmail 15245 invoked from network); 4 Jan 2004 06:30:02 -0000 Received: from bsdhosting.net (HELO work.gusalmighty.com) (jhopper@bsdhosting.net@65.39.221.113) by bsdhosting.net with SMTP; 4 Jan 2004 06:30:02 -0000 From: Justin Hopper To: freebsd-isp@freebsd.org In-Reply-To: References: Content-Type: text/plain Message-Id: <1073197690.2074.45.camel@work.gusalmighty.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Sat, 03 Jan 2004 22:28:11 -0800 Content-Transfer-Encoding: 7bit Subject: Re: mod_frontpage vulnerability? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2004 06:31:15 -0000 On Sat, 2004-01-03 at 20:57, Peter Brezny wrote: > Greetings, > > I wanted to know if any of you have experienced recent problems running > mod_frontpage. Are you sure the problems were with mod_frontpage or with the Server Extensions? I haven't seen many problems with mod_frontpage, but the Server Extensions often have problems (and they're not Open Source, so they are difficult to work with). > Last week, one of the systems I am running mod_front page on stopped > allowing front page logins. > > I wasn't able to pinpoint the problem, however, re-installing mod_frontpage > fixed the problem. You reinstalled the mod_frontpage Apache module, or the FrontPage Server Extensions for the vhost? > I'm running a fairly current build: > 4.8-RELEASE-p14 #9: Wed Dec 31 17:15:23 EST 2003 > Apache/1.3.28 (Unix) mod_perl/1.27 FrontPage/5.0.2.2623 PHP/4.3.4RC1 > mod_ssl/ > 2.8.15 OpenSSL/0.9.7a > > I get a lot of error messages in the primary httpd_error.log: > [2004-01-03 23:24:46]: uid: (nobody/nobody) gid: (nobody/nobody) cmd: > /_vti_bin/fpcount.exe The above entries are standard notices that mod_frontpage will put in the log files. Check the other Apache log files for errors concerning why logins are not being accepted. > If anyone's got some insight on what may be going on, or tips for further > securing mod_front page, I'd be grateful. > > TIA > > pb > > > Peter Brezny > purplecat.net > > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" -- Justin Hopper UNIX Systems Engineer BSDHosting.net Hosting Division of Digital Oasys Inc. http://www.bsdhosting.net