From owner-freebsd-questions Tue Oct 16 13:47: 4 2001 Delivered-To: freebsd-questions@freebsd.org Received: from femail2.sdc1.sfba.home.com (femail2.sdc1.sfba.home.com [24.0.95.82]) by hub.freebsd.org (Postfix) with ESMTP id 60F1437B40A for ; Tue, 16 Oct 2001 13:47:00 -0700 (PDT) Received: from gerhardt-it.com ([24.71.180.125]) by femail2.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20011016204659.JGXM11144.femail2.sdc1.sfba.home.com@gerhardt-it.com>; Tue, 16 Oct 2001 13:46:59 -0700 Message-ID: <3BCC9F3D.B91ADBB3@gerhardt-it.com> Date: Tue, 16 Oct 2001 14:57:33 -0600 From: Scott Gerhardt Reply-To: scott@gerhardt-it.com Organization: Gerhardt Information Technologies X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686) X-Accept-Language: en MIME-Version: 1.0 To: Tim Erlin Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ftp security References: <20011016195434.58399.qmail@web11705.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks Tim, Wouldn't a complete reinstall be overkill when it only "appears" that someone put some mysterious files in an anonymous ftp incoming directory? It's not like someone cracked into the system, putting files in /var/ftp/pub/incoming is normal. Unless, the ftpd that comes with FreeBSD 4.4-Release has a gaping security hole I don't know about. The default ftpd that comes with FreeBSD chroot's anonymous users and has builtin commands so it should be quite secure, right? - Scott Tim Erlin wrote: > > You'll see on this list numerous times the caveat(or > something similar): "Once a box has been compromised, > there is no way other than a complete re-install to be > sure that you have fixed/cleaned/removed the damage > done." > > If you're paranoid, this would be such a case, I would > think. > > --Tim > > --- Scott Gerhardt wrote: > > I just set up a FreeBSD 4.4-Release box and enabled > > anonymous ftp during > > the install. > > > > Within 24 hours I noticed a "/Tagged/by/PS2H/" > > directory under > > /var/ftp/pub/incoming. > > > > I couldn't find any good documentation on this, but > > came accross lots of > > other "Tagged" ftp sites when doing a google search > > on "ftp incoming > > tagged". > > > > My conclusion is that this is a common thing and is > > only slightly > > malicous to the extent of ftp uploads consuming disk > > space. I would > > guess it is just script kiddies trying to find a > > place to store porn. Am > > I correct? > > > > Since I don't need anonymous uploads enabled, I did > > the following: > > 1.) Deleted everything under /var/ftp/pub including > > /incoming > > 2.) Turned on ftpd logging verbose '-l -l' > > > > > > With logging on I noticed that there are still > > anonymous requests to > > create "@@Tagged@@_" directories. > > > > > > Is there anything else I should know? > > > > > > - Paranoid > > > > > > -- > > ------------------------------------ > > Scott Gerhardt, P.Geo. > > Gerhardt Information Technologies > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of > > the message > > __________________________________________________ > Do You Yahoo!? > Make a great connection at Yahoo! Personals. > http://personals.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- ------------------------------------ Scott Gerhardt, P.Geo. Gerhardt Information Technologies 306.227.5290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message