From owner-freebsd-security  Fri Dec  1  7:17:35 2000
Delivered-To: freebsd-security@freebsd.org
Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1])
	by hub.freebsd.org (Postfix) with ESMTP id 02B7137B400
	for <freebsd-security@FreeBSD.ORG>; Fri,  1 Dec 2000 07:17:32 -0800 (PST)
Received: from tandem (tandem [204.107.138.1])
	by tandem.milestonerdl.com (8.10.0/8.10.0) with ESMTP id eB1FGGL24710;
	Fri, 1 Dec 2000 09:16:16 -0600 (CST)
Date: Fri, 1 Dec 2000 09:16:16 -0600 (CST)
From: Marc Rassbach <marc@milestonerdl.com>
To: Nevermind <never@nevermind.kiev.ua>
Cc: Matjaz Martincic <matjaz.martincic@hermes.si>,
	freebsd-security@FreeBSD.ORG
Subject: Move along, nothing to see here.  Re: Important!! Vulnerability in
 standard ftpd
In-Reply-To: <20001201124713.K2185@nevermind.kiev.ua>
Message-ID: <Pine.BSF.4.21.0012010902490.16738-100000@tandem.milestonerdl.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Fri, 1 Dec 2000, Nevermind wrote:

> No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted shell
> accounts. All of them have full sudo, but all of us were using only ssh,
> telnetd was closed, noone accessed to non-anonymous ftp from outside network.

The Accounts and these people may all have been trusted.  But what about
the people who knew the people with the access?

Could THEY be trusted?

Did one of them use the same password on all machines, and therefore had a
valid password from a non-trustable system?

Unless you have logs of all commands/keystrokes of your remote users,
stored on a seperate machine, you don't know if the break-in happened by
one of your remote users ID's.

If you can provide documentation to the break-in, good.  If you
have a script (either printed directions or an actual automated
script) that does the break in, great.  I'm positive Kris would love to
see it.  If all you can do is hand-wave and talk in vague generalities,
then please don't post as "Important!! Vulnerability in standard ftpd" try
something like "Did they use ftpd to break in?" or "I had a break
in....would someone help me figure out what happned" or "Someone was
messing with my ftp setup...I could use some help."  I'm sure your break
in was real, and raised your blood pressure, but your alarmist style of
post raised the blood pressure of many sysadmins today.  Consider their
health....all that caffeine and sugar combined with a spike in blood
pressure will kill them.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message