From owner-freebsd-security Fri Dec 1 4:23:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (pool136-tch-1.Sofia.0rbitel.net [212.95.170.136]) by hub.freebsd.org (Postfix) with SMTP id 3706737B400 for ; Fri, 1 Dec 2000 04:23:06 -0800 (PST) Received: (qmail 2485 invoked by uid 1000); 1 Dec 2000 12:21:54 -0000 Date: Fri, 1 Dec 2000 14:21:54 +0200 From: Peter Pentchev To: Christoph Kukulies Cc: freebsd-security@freebsd.org Subject: Re: which ftpd Message-ID: <20001201142153.B329@ringworld.oblivion.bg> Mail-Followup-To: Christoph Kukulies , freebsd-security@freebsd.org References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de>; from kuku@gilberto.physik.rwth-aachen.de on Fri, Dec 01, 2000 at 09:23:19AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would seem to me that what you're seeing is somebody trying to use your machine as storage for warez. In particular, the '.../ .sys/' directory contains files with names and sizes that look a lot like the 15MB RAR archives used by some warez groups to 'distribute' their findings. I *think* the others might be just somebody testing to see if they can upload files onto your server, and belatedly realizing that there is no way to remove the files and directories they've created. G'luck, Peter -- This sentence every third, but it still comprehensible. On Fri, Dec 01, 2000 at 09:23:19AM +0100, Christoph Kukulies wrote: > I want to keep anonymous ftp on one of my machines but > I'm not sure whether I should use wuftpd or the stock distributed > ftpd. I want to have logging what users/sites are doing. > But I want security also. > > I just discovered a bunch of suspicious files and directories > in my incoming directory: > drwxrwx-wx root/staff 0 Nov 28 19:45 2000 incoming/ > drwxr-xr-x ftp/staff 0 Jul 31 00:04 2000 incoming/sm/ > drwxr-xr-x ftp/staff 0 Aug 14 16:44 2000 incoming/. XFer/ > drwxr-xr-x ftp/staff 0 Aug 14 16:50 2000 incoming/j/ > drwxr-xr-x ftp/staff 0 Aug 21 04:15 2000 incoming/~tmp./ > drwxr-xr-x ftp/staff 0 Aug 21 04:16 2000 incoming/.../ > drwxr-xr-x ftp/staff 0 Nov 7 02:50 2000 incoming/.../ .sys/ > -rw-r--r-- ftp/staff 937 Nov 7 02:49 2000 incoming/.../ .sys/eth-mmad.sfv > -rw-r--r-- ftp/staff 15000000 Nov 7 02:50 2000 incoming/.../ .sys/eth-mmad.r00 > -rw-r--r-- ftp/staff 6307200 Nov 7 02:51 2000 incoming/.../ .sys/eth-mmad.r01 > drwxr-xr-x ftp/staff 0 Sep 21 17:45 2000 incoming/test345/ > drwxr-xr-x ftp/staff 0 Oct 20 01:14 2000 incoming/ . test345/ > -rw-r--r-- ftp/staff 1000000 Oct 20 01:14 2000 incoming/ . test345/1MB > drwxr-xr-x ftp/staff 0 Nov 14 07:22 2000 incoming/ngf/ > drwxr-xr-x ftp/staff 0 Nov 20 00:04 2000 incoming/asd/ > drwxr-xr-x ftp/staff 0 Nov 21 11:32 2000 incoming/_ax/ > > The three-dot directories are normally used by intruder tools. > I'm wondering if this was an attack or just a trial. > > It seems I didn't block creating diorectories otherwise it wouldn't have > been possible to create that but I'm wondering if this is possible > to disallow under the stock ftpd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message