From owner-freebsd-security  Fri Dec  1  0:23:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2])
	by hub.freebsd.org (Postfix) with ESMTP id CFEBA37B400
	for <freebsd-security@freebsd.org>; Fri,  1 Dec 2000 00:23:19 -0800 (PST)
Received: (from kuku@localhost)
	by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id JAA24840
	for freebsd-security@freebsd.org; Fri, 1 Dec 2000 09:23:19 +0100 (CET)
	(envelope-from kuku)
Date: Fri, 1 Dec 2000 09:23:19 +0100 (CET)
From: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>
Message-Id: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de>
To: freebsd-security@freebsd.org
Subject: which ftpd
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I want to keep anonymous ftp on one of my machines but
I'm not sure whether I should use wuftpd or the stock distributed
ftpd. I want to have logging what users/sites are doing.
But I want security also.

I just discovered a bunch of suspicious files and directories
in my incoming directory:
drwxrwx-wx root/staff        0 Nov 28 19:45 2000 incoming/
drwxr-xr-x ftp/staff         0 Jul 31 00:04 2000 incoming/sm/
drwxr-xr-x ftp/staff         0 Aug 14 16:44 2000 incoming/. XFer/
drwxr-xr-x ftp/staff         0 Aug 14 16:50 2000 incoming/j/
drwxr-xr-x ftp/staff         0 Aug 21 04:15 2000 incoming/~tmp./
drwxr-xr-x ftp/staff         0 Aug 21 04:16 2000 incoming/.../
drwxr-xr-x ftp/staff         0 Nov  7 02:50 2000 incoming/.../ .sys/
-rw-r--r-- ftp/staff       937 Nov  7 02:49 2000 incoming/.../ .sys/eth-mmad.sfv
-rw-r--r-- ftp/staff  15000000 Nov  7 02:50 2000 incoming/.../ .sys/eth-mmad.r00
-rw-r--r-- ftp/staff   6307200 Nov  7 02:51 2000 incoming/.../ .sys/eth-mmad.r01
drwxr-xr-x ftp/staff         0 Sep 21 17:45 2000 incoming/test345/
drwxr-xr-x ftp/staff         0 Oct 20 01:14 2000 incoming/ .   test345/
-rw-r--r-- ftp/staff   1000000 Oct 20 01:14 2000 incoming/ .   test345/1MB
drwxr-xr-x ftp/staff         0 Nov 14 07:22 2000 incoming/ngf/
drwxr-xr-x ftp/staff         0 Nov 20 00:04 2000 incoming/asd/
drwxr-xr-x ftp/staff         0 Nov 21 11:32 2000 incoming/_ax/

The three-dot directories are normally used by intruder tools.
I'm wondering if this was an attack or just a trial.

It seems I didn't block creating diorectories otherwise it wouldn't have
been possible to create that but I'm wondering if this is possible
to disallow under the stock ftpd.


-- 
Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message