From owner-freebsd-security  Fri Dec  1  2:21:33 2000
Delivered-To: freebsd-security@freebsd.org
Received: from nevermind.kiev.ua (unknown [212.109.53.33])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8C70837B400; Fri,  1 Dec 2000 02:21:27 -0800 (PST)
Received: (from never@localhost)
	by nevermind.kiev.ua (8.11.1/8.11.1) id eB1ALPs30096;
	Fri, 1 Dec 2000 12:21:25 +0200 (EET)
	(envelope-from never)
Date: Fri, 1 Dec 2000 12:21:24 +0200
From: Nevermind <never@nevermind.kiev.ua>
To: freebsd-security@freebsd.org
Cc: freebsd-stabe@freebsd.org
Subject: Important!! Vulnerability in standard ftpd
Message-ID: <20001201122124.H2185@nevermind.kiev.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello!

The parallel thread are discussing suspicious 
 drwxr-xr-x ftp/staff         0 Jul 31 00:04 2000 incoming/*
dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way.
(with standard ftpd)

First I've found incoming/~tmp./ dir.
Then I've found suspicious process called "supa" (it may vary, I think).
I don't exactly remember how I found directory in which ls -la said:
ls: .: No such file or directory.

This hack corrupts filesystem to make it's datadirs invisible.
fsck in single mode severeal times helps.

It is ttyp* and ttyv* sniffer, logger, password cracker.
Please, check it out!

-- 
Alexandr P. Kovalenko	http://nevermind.kiev.ua/
NEVE-RIPE


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message