Date: Fri, 1 Dec 2000 02:29:09 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Nevermind <never@nevermind.kiev.ua> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201022909.A44090@citusc17.usc.edu> In-Reply-To: <20001201122124.H2185@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Fri, Dec 01, 2000 at 12:21:24PM %2B0200 References: <20001201122124.H2185@nevermind.kiev.ua>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Dec 01, 2000 at 12:21:24PM +0200, Nevermind wrote: > Hello! > > The parallel thread are discussing suspicious > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this way. > (with standard ftpd) > > First I've found incoming/~tmp./ dir. > Then I've found suspicious process called "supa" (it may vary, I think). > I don't exactly remember how I found directory in which ls -la said: > ls: .: No such file or directory. > > This hack corrupts filesystem to make it's datadirs invisible. > fsck in single mode severeal times helps. > > It is ttyp* and ttyv* sniffer, logger, password cracker. > Please, check it out! Check what out? Probably your machine has some other vulnerability which was leveraged. You have given us nothing here beyond showing that your ftp server has a world writable directory. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjonfXUACgkQWry0BWjoQKW02QCfXG0NiAAcl963v6niKwW6Wn5x 2EYAni0MXDf1HH3IyUhLHxMVCFZqPzA0 =k7/5 -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201022909.A44090>