Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Dec 2000 09:44:42 -0600 
From:      Garrett Gregory Cntr AMC/LGXI <GREGORY.GARRETT@SCOTT.AF.MIL>
To:        Marc Rassbach <marc@milestonerdl.com>, Nevermind <never@nevermind.kiev.ua>
Cc:        Matjaz Martincic <matjaz.martincic@hermes.si>, freebsd-security@FreeBSD.ORG
Subject:   RE: Move along, nothing to see here.  Re: Important!! Vulnerabili ty in standard ftpd
Message-ID:  <21A918476AFBD311B0C80000D1ECF0FF01A865FC@vejxoisnte85.scott.af.mil>

next in thread | raw e-mail | index | archive | help
Speaking from experience in a related case:

I have had my website system hacked twice in the last year - BOTH times it
happened because the hacker got into ANOTHER system where an individual with
a trusted account had his userid and password stored on that server in a
plain text file - they pogoed from that system with that userid and got
in...

The results from the investigation? There was nothing else I could do to my
system to make it more secure - in fact I got kudos for it being as secure
as it was. But as long as people keep info insecurly there's nothing you can
do but keep watch and hope to catch them (and of course have good backup
sets!).

Greg Garrett
UNIX Systems Administrator
HQ AMC/LGXI
DSN 779-4695
Comm 618-229-4695
Email Gregory.Garrett@scott.af.mil

-----Original Message-----
From: Marc Rassbach [mailto:marc@milestonerdl.com]
Sent: Friday, December 01, 2000 9:16 AM
To: Nevermind
Cc: Matjaz Martincic; freebsd-security@FreeBSD.ORG
Subject: Move along, nothing to see here. Re: Important!! Vulnerability
in standard ftpd




On Fri, 1 Dec 2000, Nevermind wrote:

> No, I had only trusted non-anonymous ftp accounts. And sure, very-trusted
shell
> accounts. All of them have full sudo, but all of us were using only ssh,
> telnetd was closed, noone accessed to non-anonymous ftp from outside
network.

The Accounts and these people may all have been trusted.  But what about
the people who knew the people with the access?

Could THEY be trusted?

Did one of them use the same password on all machines, and therefore had a
valid password from a non-trustable system?

Unless you have logs of all commands/keystrokes of your remote users,
stored on a seperate machine, you don't know if the break-in happened by
one of your remote users ID's.

If you can provide documentation to the break-in, good.  If you
have a script (either printed directions or an actual automated
script) that does the break in, great.  I'm positive Kris would love to
see it.  If all you can do is hand-wave and talk in vague generalities,
then please don't post as "Important!! Vulnerability in standard ftpd" try
something like "Did they use ftpd to break in?" or "I had a break
in....would someone help me figure out what happned" or "Someone was
messing with my ftp setup...I could use some help."  I'm sure your break
in was real, and raised your blood pressure, but your alarmist style of
post raised the blood pressure of many sysadmins today.  Consider their
health....all that caffeine and sugar combined with a spike in blood
pressure will kill them.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21A918476AFBD311B0C80000D1ECF0FF01A865FC>