Date: Sun, 25 Nov 2001 14:02:21 -0600 From: "Kevin & Anita Kinsey" <k_a_kinsey@netzero.net> To: <freebsd-security@freebsd.org> Subject: analysis of attack ?? Message-ID: <03e501c175ec$19332b40$d5f35b41@musicstudio>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] A hobbyist (me) recently set up a FreeBSD box for a friend's SOHO. It serves as MTA, WWW, and FTP (for webpage upload) server, and sits behind a NAT-ting router, which passes ftp/www/smtp traffic to appropriate ports (under 'ideal' conditions, anyway). During a recent visit [after too long an absence] I discovered his bandwidth was totally eaten up (ping>2 seconds to upstream server) and the cause was this box. Unusually named files appeared in /var/ftp/pub/pub, and /etc/group showed that guest had root privileges. I removed the machine from the net promptly and began wiping the disk for a reinstall. Questions: *Does the fact that the files were in the public ftp directory mean that Mr. Badguy came in via anonymous FTP, or did he sniff a user password floating unencrypted over the 'Net? *What should I do if/when (God forbid) this happens again to give me (you?) more to analyze.....? *Is there a better way [than FTP] to have his 'webmaster' (page designer) upload pages to the site? *I realize I'm probably a total idiot who doesn't deserve a root pw, but please don't hit me too hard, the last 'friend' he had gave him no mail service at all and had anonymous FTP login default to /wwwroot on his IIS server. (Thanks, Nimda....) Kevin Kinsey [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> <META content="MSHTML 5.00.2614.3500" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>A hobbyist (me) recently set up a FreeBSD box for a friend's SOHO. It serves as MTA, WWW, and FTP (for webpage upload) server, and sits behind a NAT-ting router, which passes ftp/www/smtp traffic to appropriate ports (under 'ideal' conditions, anyway). </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>During a recent visit [after too long an absence] I discovered his bandwidth was totally eaten up (ping>2 seconds to upstream server) and the cause was this box. Unusually named files appeared in /var/ftp/pub/pub, and /etc/group showed that guest had root privileges. I removed the machine from the net promptly and began wiping the disk for a reinstall. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Questions:</FONT></DIV> <DIV><FONT face=Arial size=2>*Does the fact that the files were in the public ftp directory mean that Mr. Badguy came in via anonymous FTP, or did he sniff a user password floating unencrypted over the 'Net?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>*What should I do if/when (God forbid) this happens again to give me (you?) more to analyze.....?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>*Is there a better way [than FTP] to have his 'webmaster' (page designer) upload pages to the site?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>*I realize I'm probably a total idiot who doesn't deserve a root pw, but please don't hit me too hard, the last 'friend' he had gave him no mail service at all and had anonymous FTP login default to /wwwroot on his IIS server. (Thanks, Nimda....)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Kevin Kinsey</FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03e501c175ec$19332b40$d5f35b41>