From owner-freebsd-security  Fri Dec  1  2:27:55 2000
Delivered-To: freebsd-security@freebsd.org
Received: from athena.za.net (athena.za.net [196.30.167.200])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6149937B400; Fri,  1 Dec 2000 02:27:49 -0800 (PST)
Received: from localhost (jus@localhost)
	by athena.za.net (8.9.3/8.9.3) with ESMTP id KAA06886;
	Fri, 1 Dec 2000 10:27:14 GMT
	(envelope-from jus@security.za.net)
X-Authentication-Warning: athena.za.net: jus owned process doing -bs
Date: Fri, 1 Dec 2000 12:27:14 +0200 (SAST)
From: Justin Stanford <jus@security.za.net>
X-Sender: jus@athena.za.net
To: Nevermind <never@nevermind.kiev.ua>
Cc: freebsd-security@freebsd.org, freebsd-stabe@freebsd.org
Subject: Re: Important!! Vulnerability in standard ftpd
In-Reply-To: <20001201122124.H2185@nevermind.kiev.ua>
Message-ID: <Pine.BSF.4.21.0012011226450.6208-100000@athena.za.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Can anyone confirm this, that there is some kind of remotely workable
vulnerability in the current stock ftpd (6.00LS)..?

--
Justin Stanford
082 7402741
jus@security.za.net
www.security.za.net
IT Security and Solutions


On Fri, 1 Dec 2000, Nevermind wrote:

> Hello!
> 
> The parallel thread are discussing suspicious 
>  drwxr-xr-x ftp/staff         0 Jul 31 00:04 2000 incoming/*
> dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way.
> (with standard ftpd)
> 
> First I've found incoming/~tmp./ dir.
> Then I've found suspicious process called "supa" (it may vary, I think).
> I don't exactly remember how I found directory in which ls -la said:
> ls: .: No such file or directory.
> 
> This hack corrupts filesystem to make it's datadirs invisible.
> fsck in single mode severeal times helps.
> 
> It is ttyp* and ttyv* sniffer, logger, password cracker.
> Please, check it out!
> 
> -- 
> Alexandr P. Kovalenko	http://nevermind.kiev.ua/
> NEVE-RIPE
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message