Date: Fri, 1 Dec 2000 02:29:09 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: Nevermind <never@nevermind.kiev.ua> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Important!! Vulnerability in standard ftpd Message-ID: <20001201022909.A44090@citusc17.usc.edu> In-Reply-To: <20001201122124.H2185@nevermind.kiev.ua>; from never@nevermind.kiev.ua on Fri, Dec 01, 2000 at 12:21:24PM %2B0200 References: <20001201122124.H2185@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
--nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 01, 2000 at 12:21:24PM +0200, Nevermind wrote: > Hello! >=20 > The parallel thread are discussing suspicious=20 > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/* > dirs. I'm 100% sure that it is hack. I've been hacked few month ago this = way. > (with standard ftpd) >=20 > First I've found incoming/~tmp./ dir. > Then I've found suspicious process called "supa" (it may vary, I think). > I don't exactly remember how I found directory in which ls -la said: > ls: .: No such file or directory. >=20 > This hack corrupts filesystem to make it's datadirs invisible. > fsck in single mode severeal times helps. >=20 > It is ttyp* and ttyv* sniffer, logger, password cracker. > Please, check it out! Check what out? Probably your machine has some other vulnerability which was leveraged. You have given us nothing here beyond showing that your ftp server has a world writable directory. Kris --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjonfXUACgkQWry0BWjoQKW02QCfXG0NiAAcl963v6niKwW6Wn5x 2EYAni0MXDf1HH3IyUhLHxMVCFZqPzA0 =k7/5 -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201022909.A44090>