From owner-freebsd-isp@FreeBSD.ORG  Sat Jan  3 17:27:34 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1731C16A4CE
	for <freebsd-isp@freebsd.org>; Sat,  3 Jan 2004 17:27:34 -0800 (PST)
Received: from lobo.ewinter.org (lobo.ewinter.org [194.221.32.221])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6CC4543D54
	for <freebsd-isp@freebsd.org>; Sat,  3 Jan 2004 17:27:32 -0800 (PST)
	(envelope-from jhs@berklix.org)
Received: from lobo.ewinter.org (localhost.ewinter.org [127.0.0.1])
	by lobo.ewinter.org (8.12.9p1/8.12.9) with ESMTP id i041RRaZ006667;
	Sun, 4 Jan 2004 02:27:27 +0100 (CET)
	(envelope-from jhs@lobo.ewinter.org)
Received: (from jhs@localhost)
	by lobo.ewinter.org (8.12.9p1/8.12.6/Submit) id i041RG9q006665;
	Sun, 4 Jan 2004 02:27:16 +0100 (CET)
Date: Sun, 4 Jan 2004 02:27:16 +0100 (CET)
Message-Id: <200401040127.i041RG9q006665@lobo.ewinter.org>
To: freebsd-isp@freebsd.org
From: "Julian Stacey" <jhs@berklix.org>
Organization: http://berklix.com/~jhs/
Fcc: sent-mail
User-agent: EXMH http://beedub.com/exmh/ on FreeBSD http://freebsd.org
cc: ewinter@ewinter.org
cc: Norbert Poellmann <np@bsn.com>
Subject: ftpd -r insufficient to protect from writing
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jan 2004 01:27:34 -0000

Hi freebsd-isp@freebsd.org people

Has anyone seen systems running with an inetd.conf entry of
        ftpd -l -r
where crackers get in & write quantities of crap in pub/        ?

I saw similar maybe 6 months ago, & again recently on another 
machine.  I'm not sure then if I had -r.  Again not quite sure if
I had a previous "-r" on the latest attacked host, (a co-admin got
in before me & turned access off, so not certain of precise original
parameters to ftpd)

Is the standard libexec/ftpd considered insecure ?
Should one be running something else, EG /usr/ports/ftp/lukemftpd ?

-
Julian Stacey.  Unix C & Net Services Consultant - Munich.  http://berklix.com
                Mail in Ascii/ plain text:  HTML is Spam dumped.
  Schnupftabak probieren:  Ihr Rauchen = mein allergischer Kopfschmerz !
  Software patents: Vampires would approve:  http://berklix.com/jhs/patents