From owner-freebsd-isp Thu Feb 6 13:43:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA08157 for isp-outgoing; Thu, 6 Feb 1997 13:43:06 -0800 (PST) Received: from www.trifecta.com (www.trifecta.com [206.245.150.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA08120 for ; Thu, 6 Feb 1997 13:42:56 -0800 (PST) Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id QAA18107; Thu, 6 Feb 1997 16:43:25 -0500 (EST) Date: Thu, 6 Feb 1997 16:43:25 -0500 (EST) From: Dev Chanchani To: Ricardo Kleemann cc: FreeBSD ISP list Subject: Re: hacking - help In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ricardo, Make sure your shell for the ftp users is set to something like /bin/date, etc so they cannot login to the account. Also, make sure the ftp home directory is not writtable. Other than that, look for ftpd.core files (perhaps a buffer overflow in ftp allowing a user to get a shell through ftp)? Did you notice any other details? Regards, Dev Chanchani Trifecta Interactive On Wed, 5 Feb 1997, Ricardo Kleemann wrote: > Hi, > > Today I noticed someone was logged into my freebsd machine, as user ftp. > I immediately killed the shell and saw that soon he was back in. > > I then just made sure ftp had no shell, in hopes he wont be able to get > in. > > But, the real question is, what hole must I plug to prevent this? Is there > a known hole where someone can log in as ftp and gain root access? > > Thank God, it seems no damage was done (I hope! I haven't noticed anything > other than wtmp was erased). > > Also, does freebsd support host.allow and host.deny? I didn't see those > files in /etc and there was no man page > > Thanks for any help! > Ricardo >