From owner-freebsd-questions Tue Oct 16 14:13:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from web11708.mail.yahoo.com (web11708.mail.yahoo.com [216.136.172.74]) by hub.freebsd.org (Postfix) with SMTP id BFEDA37B405 for ; Tue, 16 Oct 2001 14:13:07 -0700 (PDT) Message-ID: <20011016211307.12345.qmail@web11708.mail.yahoo.com> Received: from [209.140.253.2] by web11708.mail.yahoo.com via HTTP; Tue, 16 Oct 2001 14:13:07 PDT Date: Tue, 16 Oct 2001 14:13:07 -0700 (PDT) From: Tim Erlin Subject: Re: ftp security To: scott@gerhardt-it.com Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <3BCC9F3D.B91ADBB3@gerhardt-it.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You're probably right, but, again, the only way to be *sure*... --Tim --- Scott Gerhardt wrote: > Thanks Tim, > > Wouldn't a complete reinstall be overkill when it > only "appears" that > someone put some mysterious files in an anonymous > ftp incoming > directory? > > It's not like someone cracked into the system, > putting files in > /var/ftp/pub/incoming is normal. Unless, the ftpd > that comes with > FreeBSD 4.4-Release has a gaping security hole I > don't know about. > > The default ftpd that comes with FreeBSD chroot's > anonymous users and > has builtin commands so it should be quite secure, > right? > > > - Scott > > > > > > > Tim Erlin wrote: > > > > You'll see on this list numerous times the > caveat(or > > something similar): "Once a box has been > compromised, > > there is no way other than a complete re-install > to be > > sure that you have fixed/cleaned/removed the > damage > > done." > > > > If you're paranoid, this would be such a case, I > would > > think. > > > > --Tim > > > > --- Scott Gerhardt wrote: > > > I just set up a FreeBSD 4.4-Release box and > enabled > > > anonymous ftp during > > > the install. > > > > > > Within 24 hours I noticed a "/Tagged/by/PS2H/" > > > directory under > > > /var/ftp/pub/incoming. > > > > > > I couldn't find any good documentation on this, > but > > > came accross lots of > > > other "Tagged" ftp sites when doing a google > search > > > on "ftp incoming > > > tagged". > > > > > > My conclusion is that this is a common thing and > is > > > only slightly > > > malicous to the extent of ftp uploads consuming > disk > > > space. I would > > > guess it is just script kiddies trying to find a > > > place to store porn. Am > > > I correct? > > > > > > Since I don't need anonymous uploads enabled, I > did > > > the following: > > > 1.) Deleted everything under /var/ftp/pub > including > > > /incoming > > > 2.) Turned on ftpd logging verbose '-l -l' > > > > > > > > > With logging on I noticed that there are still > > > anonymous requests to > > > create "@@Tagged@@_" directories. > > > > > > > > > Is there anything else I should know? > > > > > > > > > - Paranoid > > > > > > > > > -- > > > ------------------------------------ > > > Scott Gerhardt, P.Geo. > > > Gerhardt Information Technologies > > > > > > To Unsubscribe: send mail to > majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body > of > > > the message > > > > __________________________________________________ > > Do You Yahoo!? > > Make a great connection at Yahoo! Personals. > > http://personals.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body > of the message > > -- > ------------------------------------ > Scott Gerhardt, P.Geo. > Gerhardt Information Technologies > 306.227.5290 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of > the message __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message