From owner-freebsd-security Fri Dec 1 4:47:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from area51.v-wave.com (area51.v-wave.com [24.108.173.252]) by hub.freebsd.org (Postfix) with SMTP id E6DBD37B400 for ; Fri, 1 Dec 2000 04:47:29 -0800 (PST) Received: (qmail 21415 invoked by uid 1001); 1 Dec 2000 12:47:24 -0000 Date: Fri, 1 Dec 2000 05:47:24 -0700 From: Chris Wasser To: FreeBSD security Subject: Re: which ftpd Message-ID: <20001201054724.A21271@skunkworks.area51-arpa.mil> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <20001201142153.B329@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001201142153.B329@ringworld.oblivion.bg>; from roam@orbitel.bg on Fri, Dec 01, 2000 at 02:21:54PM +0200 X-Operating-System: FreeBSD 4.2-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 01 Dec 2000, Peter Pentchev wrote: > It would seem to me that what you're seeing is somebody trying to use > your machine as storage for warez. In particular, the '.../ .sys/' > directory contains files with names and sizes that look a lot like > the 15MB RAR archives used by some warez groups to 'distribute' their > findings. I actually replied to this but accidently sent to the wrong mailing list, this is indeed a file drop suituation. Seen it many times before, and had a somewhat unique perspective to such activies. I recently just switched from ProFTPd to the stock FreeBSD ftpd 6.00LS because it was becoming a pain to keep up with new problems in ProFTPd (albeit few and far between) and decided it was far easier to use to the stock ftpd for ftp services [afterall, comes with the OS, no need to compile a port to get ftp services up and going.] Granted ProFTPd is somewhat easier to setup (the apache-like configuration helps alot) but I see no difference in quality of service except perhaps a few missing options such as ftp bandwidth limiting (which can be accomplished other ways anyways) The "exploit" or "vulnerability" he's talking about I've seen before, mostly through an exploited ftpd called "glftpd" which is riddled with bugs (and unfortunately, is only distributed in platform-specific binaries only, making it hard to 'sanitize' -- in which case I'd think using jail would be preferrable if you must run this particular piece of software -- and it's my personal opinion services such as httpd and ftpd should be run inside a jail anyways) and it does indeed log input (in this particular case, the person who had installed it when I found it on a friends machine, had captured ftp, ssh and console [local] login names and passwords and hid the executable and it's logged information in /var/spool/lpd/.lpd/) Ideally, the best approach is not to allow anonymous upload access, or do as someone suggested and make your incoming directory write-only, thus preventing would-be couriers from making your site into a public file drop. Having a world writable/readable incoming directory is just begging to be abused. -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message