From owner-freebsd-isp  Fri Oct 25 15:33:00 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA26987
          for isp-outgoing; Fri, 25 Oct 1996 15:33:00 -0700 (PDT)
Received: from radio.nwpros.com (nwpros.com [205.229.128.214])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA26979
          for <freebsd-isp@freebsd.org>; Fri, 25 Oct 1996 15:32:56 -0700 (PDT)
Received: from rickbox.nwpros.com (rickbox.nwpros.com [205.229.128.217]) by radio.nwpros.com (8.6.12/8.6.12) with SMTP id RAA01416 for <freebsd-isp@freebsd.org>; Fri, 25 Oct 1996 17:32:56 -0500
Message-Id: <1.5.4.32.19961025224330.00688860@nwpros.com>
X-Sender: rickg@nwpros.com
X-Mailer: Windows Eudora Light Version 1.5.4 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 25 Oct 1996 17:43:30 -0500
To: freebsd-isp@freebsd.org
From: Rick Gray <rickg@nwpros.com>
Subject: Hackers
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I believe I know what my FTP problem is. After I rebooted I noticed several
people FTPing into the system, none who are customers. Looking at the
home/FTP/pub files shows nothing but when I did a ls -a it showed a hidden
file: ../ ../stevan. This is the file the hackers are retrieving. I can't
even delete the file or change the access. I must warn everyone of this. The
users use the email name of mozilla@ for the majority.

So somehow when these guys come into my system, it screws up FTP. I disabled
FTP in inetd until I find a solution to this problem. I was told that
FreeBSD was very secure but now someone has found a loophole somewhere, I guess.

Is there a way to deny these hackers access but allow my customers access?
Again, I am using wu_ftp and tcp_wrappers on my 2.0 system. I don't know how
to stop them other than not run FTP which of course is not acceptable.

So everyone do a ps ax and check to see if anyone is FTPed into your system
as mozilla. Those are the majority of hackers I saw...I guess they all use
the same name. One last thing..they were not FTPing directly to me. They
were going through other machines to cover their tracks. I informed one
company of the problem but said they can't help since this person was not a
customer. I found that strange. They whould be able to see someoneusing
their system too.

I hope I have warned enough of you. If you have a solution to my/our
problem, PLEASE let me know. I use FTP quite a bit along with seeveral of my
customers.

Thanks.