From owner-freebsd-security Sun Nov 25 12:20:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 635E737B405 for ; Sun, 25 Nov 2001 12:20:11 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id EE86A81D2D; Sun, 25 Nov 2001 14:20:05 -0600 (CST) Date: Sun, 25 Nov 2001 14:20:05 -0600 From: Alfred Perlstein To: Kevin & Anita Kinsey Cc: freebsd-security@freebsd.org Subject: Re: analysis of attack ?? Message-ID: <20011125142005.D13393@elvis.mu.org> References: <03e501c175ec$19332b40$d5f35b41@musicstudio> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <03e501c175ec$19332b40$d5f35b41@musicstudio>; from k_a_kinsey@netzero.net on Sun, Nov 25, 2001 at 02:02:21PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Kevin & Anita Kinsey [011125 14:00] wrote: > > Questions: > *Does the fact that the files were in the public ftp directory > mean that Mr. Badguy came in via anonymous FTP, or did he sniff a > user password floating unencrypted over the 'Net? That's really not possible to determine for sure, even if your ftp site configuration data was available. > *What should I do if/when (God forbid) this happens again to give > me (you?) more to analyze.....? Keeping better logfiles would be good, setting them immutable or having them sent to a completely seperate machine or even to a printer could work and hopefully keep the log entries from being altered. > *Is there a better way [than FTP] to have his 'webmaster' (page > designer) upload pages to the site? Actually I recently saw that _finally_ they came out with a client that does ftp over ssh. I think DataFellows has such a client you should check it out. > *I realize I'm probably a total idiot who doesn't deserve a root > pw, but please don't hit me too hard, the last 'friend' he had gave > him no mail service at all and had anonymous FTP login default to > /wwwroot on his IIS server. (Thanks, Nimda....) Being proactive and knowing when to ask for help speaks a lot for you, however it would probably make sense for you to hire a decent consultant, take a look at the commercial consultants available on www.freebsd.org or www.bsdmall.com (they offer training last i checked). best of luck, -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' http://www.morons.org/rants/gpl-harmful.php3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message