Date: Fri, 1 Dec 2000 11:53:39 +0200 From: Nevermind <never@nevermind.kiev.ua> To: James Wyatt <jwyatt@rwsystems.net> Cc: Christoph Kukulies <kuku@gilberto.physik.rwth-aachen.de>, freebsd-security@FreeBSD.ORG Subject: Re: which ftpd Message-ID: <20001201115339.G2185@nevermind.kiev.ua> In-Reply-To: <Pine.BSF.4.10.10012010332310.42770-100000@bsdie.rwsystems.net>; from jwyatt@rwsystems.net on Fri, Dec 01, 2000 at 03:41:38AM -0600 References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <Pine.BSF.4.10.10012010332310.42770-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, James Wyatt! On Fri, 1 Dec 2000, Christoph Kukulies wrote: > I want to keep anonymous ftp on one of my machines but > I'm not sure whether I should use wuftpd or the stock distributed > ftpd. I want to have logging what users/sites are doing. > But I want security also. > > I just discovered a bunch of suspicious files and directories > in my incoming directory: > drwxrwx-wx root/staff 0 Nov 28 19:45 2000 incoming/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/sm/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/~tmp./ I've been hacked few month ago with such kind of sht using standard ftpd. ps ax | grep supa also make fsck in single mode several times, then search for suspicious dirs in /var/games, /var/*. This is hack based on loading kernel module which prevents process name supa to be killed also try to find dir or/and file named "lohi". I'm not sure about this, because they may change executable names. -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201115339.G2185>