From owner-freebsd-isp  Fri Oct 25 15:54:46 1996
Return-Path: owner-isp
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA29109
          for isp-outgoing; Fri, 25 Oct 1996 15:54:46 -0700 (PDT)
Received: from root.com (implode.root.com [198.145.90.17])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA29101
          for <freebsd-isp@FreeBSD.ORG>; Fri, 25 Oct 1996 15:54:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id PAA09148; Fri, 25 Oct 1996 15:55:46 -0700 (PDT)
Message-Id: <199610252255.PAA09148@root.com>
X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol
To: Rick Gray <rickg@nwpros.com>
cc: freebsd-isp@FreeBSD.ORG
Subject: Re: Hackers 
In-reply-to: Your message of "Fri, 25 Oct 1996 17:43:30 CDT."
             <1.5.4.32.19961025224330.00688860@nwpros.com> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Fri, 25 Oct 1996 15:55:46 -0700
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>I believe I know what my FTP problem is. After I rebooted I noticed several
>people FTPing into the system, none who are customers. Looking at the
>home/FTP/pub files shows nothing but when I did a ls -a it showed a hidden
>file: ../ ../stevan. This is the file the hackers are retrieving. I can't
>even delete the file or change the access. I must warn everyone of this. The
>users use the email name of mozilla@ for the majority.

   You should be able to do a:

rm -rf ".*stevan*"

...but you may wish to cd to it first to see what's in it. cd ".*stevan*"
should similarly work.

>So somehow when these guys come into my system, it screws up FTP. I disabled
>FTP in inetd until I find a solution to this problem. I was told that
>FreeBSD was very secure but now someone has found a loophole somewhere, I guess.

   You probably need to better control the upload permissions.

>So everyone do a ps ax and check to see if anyone is FTPed into your system
>as mozilla. Those are the majority of hackers I saw...I guess they all use
>the same name. One last thing..they were not FTPing directly to me. They

   "mozilla" is the standard anonymous password that Netscape uses. It's not
at all unusual.

-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project