From owner-freebsd-questions  Wed Sep 12 13:49:27 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5C7F137B401; Wed, 12 Sep 2001 13:49:19 -0700 (PDT)
Received: from hades.hell.gr (patr530-a049.otenet.gr [212.205.215.49])
	by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8CKnDx27373;
	Wed, 12 Sep 2001 23:49:13 +0300 (EEST)
Received: (from charon@localhost)
	by hades.hell.gr (8.11.6/8.11.6) id f8CIGX065884;
	Wed, 12 Sep 2001 21:16:33 +0300 (EEST)
	(envelope-from charon@labs.gr)
Date: Wed, 12 Sep 2001 21:16:32 +0300
From: Giorgos Keramidas <charon@labs.gr>
To: "P. U. (Uli) Kruppa" <root@pukruppa.de>
Cc: current@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG
Subject: Re: anonymous-ftp cracked
Message-ID: <20010912211632.A65756@hades.hell.gr>
References: <20010912174347.Q1009-100000@pukruppa.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010912174347.Q1009-100000@pukruppa.de>; from root@pukruppa.de on Wed, Sep 12, 2001 at 05:52:23PM +0200
X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2
X-URL: http://students.ceid.upatras.gr/~keramida/index.html
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

From: P. U. (Uli) Kruppa <root@pukruppa.de>
Subject: anonymous-ftp cracked
Date: Wed, Sep 12, 2001 at 05:52:23PM +0200

> I am running -CURRENT (ok - though I do not know anything
> about computers)

Why are you running -CURRENT?  Users that are running -CURRENT are expected to
be able to track relatively simple problems like this one, without asking tons
of questions.  And this is not a problem of -CURRENT but of ftpd setup :-/

> and just found about about 624 MB trash in
> my /var/ftp -  this is my anonymous-ftp -directory.
> It was disposed in a sub-directory
> ../incoming/tagged/byDj-krok .

You have not been cracked.  Somebody just uses your writable /incoming
directory to store their data.  Since they *do* have write access in there,
this is a legitimate use of your FTP server.

> What can I do (besides deleting this stuff)?

Do not allow write access in /var/ftp/incoming ?

Another common thing done in writable incoming/ directories is to create a
file of fixed size, say 100 Mb, and use vnconfig to mount this file as the
incoming/ directory of an FTP server.  Then there's only about 100 Mb of
space available in your incoming/ and nobody can store tons of data in there,
wasting your disk space until disks are full.

-giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message