From owner-freebsd-security Fri Aug 31 19:10:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from chmls16.mediaone.net (chmls16.mediaone.net [24.147.1.151]) by hub.freebsd.org (Postfix) with ESMTP id 550F037B407 for ; Fri, 31 Aug 2001 19:10:39 -0700 (PDT) Received: from mediaone.net (h002078d665ae.ne.mediaone.net [66.30.93.217]) by chmls16.mediaone.net (8.11.1/8.11.1) with ESMTP id f812ArT01371 for ; Fri, 31 Aug 2001 22:10:53 -0400 (EDT) Message-ID: <3B900B4B.119FBA2F@mediaone.net> Date: Fri, 31 Aug 2001 22:10:19 +0000 From: "The Marino's" Reply-To: postroad@mediaone.net X-Mailer: Mozilla 4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Tagged by Spissatus Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was configuring a new server and foolishly put it on the wire while I was configuring. Anonymous ftp was enabled and I got an Upload that was a nasty directory tree with some Divx files; Tagged: By Spissatus: Scan by Riot 667 Upload by spissatus Dx2 Missing files Deep Blue Sea: Lots of DiVX files. Is this as simple as it looks or is this a deeper exploit that may have comprimised any user accounts?? I yanked out world write access but it came back a few hours later. The GID of the ftp user is 5(operator) and the /var/ftp directory is root:operator. Is that normal for a 4.3-stable release out of the box or have they gotten enough information to run "chown" and "chmod"? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message