From owner-freebsd-questions  Tue Oct 16 12:48:56 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from femail7.sdc1.sfba.home.com (femail7.sdc1.sfba.home.com [24.0.95.87])
	by hub.freebsd.org (Postfix) with ESMTP id C0D2E37B40E
	for <freebsd-questions@FreeBSD.ORG>; Tue, 16 Oct 2001 12:48:53 -0700 (PDT)
Received: from gerhardt-it.com ([24.71.180.125])
          by femail7.sdc1.sfba.home.com
          (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP
          id <20011016194853.EMIB20013.femail7.sdc1.sfba.home.com@gerhardt-it.com>
          for <freebsd-questions@FreeBSD.ORG>;
          Tue, 16 Oct 2001 12:48:53 -0700
Message-ID: <3BCC919F.B32824A9@gerhardt-it.com>
Date: Tue, 16 Oct 2001 13:59:27 -0600
From: Scott Gerhardt <scott@gerhardt-it.com>
Reply-To: scott@gerhardt-it.com
Organization: Gerhardt Information Technologies
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
Subject: ftp security
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I just set up a FreeBSD 4.4-Release box and enabled anonymous ftp during
the install.

Within 24 hours I noticed a "/Tagged/by/PS2H/" directory under
/var/ftp/pub/incoming.

I couldn't find any good documentation on this, but came accross lots of
other "Tagged" ftp sites when doing a google search on "ftp incoming
tagged".

My conclusion is that this is a common thing and is only slightly
malicous to the extent of ftp uploads consuming disk space.  I would
guess it is just script kiddies trying to find a place to store porn. Am
I correct?

Since I don't need anonymous uploads enabled, I did the following:
1.) Deleted everything under /var/ftp/pub including /incoming
2.) Turned on ftpd logging verbose '-l -l'


With logging on I noticed that there are still anonymous requests to
create "@@Tagged@@_" directories.


Is there anything else I should know?


	- Paranoid


-- 
------------------------------------
Scott Gerhardt, P.Geo.
Gerhardt Information Technologies

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message