From owner-freebsd-security  Wed Aug  1 11:21:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28])
	by hub.freebsd.org (Postfix) with ESMTP id 0C11537B401
	for <freebsd-security@FreeBSD.ORG>; Wed,  1 Aug 2001 11:21:13 -0700 (PDT)
	(envelope-from veldy@veldy.net)
Received: from HP2500B (localhost.veldy.net [127.0.0.1])
	by veldy.net (Postfix) with SMTP
	id 2FA4FBAB9; Wed,  1 Aug 2001 13:21:10 -0500 (CDT)
Message-ID: <00fb01c11ab6$829c83b0$3028680a@tgt.com>
From: "Thomas T. Veldhouse" <veldy@veldy.net>
To: "Maximum" <m-a-x-i-m-u-m@mail.ru>,
	<freebsd-security@FreeBSD.ORG>, "Brett Glass" <brett@lariat.org>
References: <4.3.2.7.2.20010801115333.0476d100@localhost>
Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE
Date: Wed, 1 Aug 2001 13:19:30 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Somebody keeps trying to install something through my FTPd when it is setup
to allow anonymous users (no directories available for upload either).  I
opened up the FTP ports on Sunday night and I had somebody hack into my
system before Monday morning.  Lucky for me, they ran out of space on /var
before they were able to do any damage.  Seems there is a security hole with
the installed ftpd.  I usually use proftpd, which was always been secure for
me.  The only reason I switched back was that I needed a quick way to
increase the timeout for ftp to my server (Dreamweaver likes a long
timeout).

Tom Veldhouse
veldy@veldy.net

----- Original Message -----
From: "Brett Glass" <brett@lariat.org>
To: "Maximum" <m-a-x-i-m-u-m@mail.ru>; <freebsd-security@FreeBSD.ORG>
Sent: Wednesday, August 01, 2001 12:55 PM
Subject: Re: Trojan injected in my Freebsd 4.1-RELEASE


> At 08:24 AM 8/1/2001, Maximum wrote:
>
> >In one of shell script I'm talking about i found copyright mark "nrfbsdrk
v0.1 by gREMLiNs".
>
> The final letters of "nrfbsdrk" almost certainly stand for "FreeBSD
rootkit."
> I'd be interested in knowing what was exploited to install it. Could be
BIND
> or telnetd.
>
> --Brett
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message