Date: Fri, 1 Dec 2000 05:47:24 -0700 From: Chris Wasser <cwasser@v-wave.com> To: FreeBSD security <security@FreeBSD.ORG> Subject: Re: which ftpd Message-ID: <20001201054724.A21271@skunkworks.area51-arpa.mil> In-Reply-To: <20001201142153.B329@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Dec 01, 2000 at 02:21:54PM %2B0200 References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201142153.B329@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri 01 Dec 2000, Peter Pentchev wrote: > It would seem to me that what you're seeing is somebody trying to use > your machine as storage for warez. In particular, the '.../ .sys/' > directory contains files with names and sizes that look a lot like > the 15MB RAR archives used by some warez groups to 'distribute' their > findings. I actually replied to this but accidently sent to the wrong mailing list, this is indeed a file drop suituation. Seen it many times before, and had a somewhat unique perspective to such activies. I recently just switched from ProFTPd to the stock FreeBSD ftpd 6.00LS because it was becoming a pain to keep up with new problems in ProFTPd (albeit few and far between) and decided it was far easier to use to the stock ftpd for ftp services [afterall, comes with the OS, no need to compile a port to get ftp services up and going.] Granted ProFTPd is somewhat easier to setup (the apache-like configuration helps alot) but I see no difference in quality of service except perhaps a few missing options such as ftp bandwidth limiting (which can be accomplished other ways anyways) The "exploit" or "vulnerability" he's talking about I've seen before, mostly through an exploited ftpd called "glftpd" which is riddled with bugs (and unfortunately, is only distributed in platform-specific binaries only, making it hard to 'sanitize' -- in which case I'd think using jail would be preferrable if you must run this particular piece of software -- and it's my personal opinion services such as httpd and ftpd should be run inside a jail anyways) and it does indeed log input (in this particular case, the person who had installed it when I found it on a friends machine, had captured ftp, ssh and console [local] login names and passwords and hid the executable and it's logged information in /var/spool/lpd/.lpd/) Ideally, the best approach is not to allow anonymous upload access, or do as someone suggested and make your incoming directory write-only, thus preventing would-be couriers from making your site into a public file drop. Having a world writable/readable incoming directory is just begging to be abused. </ramble> -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001201054724.A21271>