From owner-freebsd-security Sun Nov 25 12: 0:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail9.wlv.netzero.net (mail9.wlv.netzero.net [209.247.163.66]) by hub.freebsd.org (Postfix) with SMTP id 2944F37B41A for ; Sun, 25 Nov 2001 12:00:39 -0800 (PST) Received: (qmail 13143 invoked from network); 25 Nov 2001 20:00:37 -0000 Received: from ppp-65-91-243-213.mclass.broadwing.net (HELO musicstudio) (65.91.243.213) by mail9.wlv.netzero.net with SMTP; 25 Nov 2001 20:00:37 -0000 Message-ID: <03e501c175ec$19332b40$d5f35b41@musicstudio> From: "Kevin & Anita Kinsey" To: Subject: analysis of attack ?? Date: Sun, 25 Nov 2001 14:02:21 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_03E2_01C175B9.CD39C780" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_03E2_01C175B9.CD39C780 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable A hobbyist (me) recently set up a FreeBSD box for a friend's SOHO. It = serves as MTA, WWW, and FTP (for webpage upload) server, and sits behind = a NAT-ting router, which passes ftp/www/smtp traffic to appropriate = ports (under 'ideal' conditions, anyway). =20 During a recent visit [after too long an absence] I discovered his = bandwidth was totally eaten up (ping>2 seconds to upstream server) and = the cause was this box. Unusually named files appeared in = /var/ftp/pub/pub, and /etc/group showed that guest had root privileges. = I removed the machine from the net promptly and began wiping the disk = for a reinstall. =20 Questions: *Does the fact that the files were in the public ftp directory mean that = Mr. Badguy came in via anonymous FTP, or did he sniff a user password = floating unencrypted over the 'Net? *What should I do if/when (God forbid) this happens again to give me = (you?) more to analyze.....? *Is there a better way [than FTP] to have his 'webmaster' (page = designer) upload pages to the site? *I realize I'm probably a total idiot who doesn't deserve a root pw, but = please don't hit me too hard, the last 'friend' he had gave him no mail = service at all and had anonymous FTP login default to /wwwroot on his = IIS server. (Thanks, Nimda....) Kevin Kinsey ------=_NextPart_000_03E2_01C175B9.CD39C780 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
A hobbyist (me) recently set up a = FreeBSD box=20 for a friend's SOHO.  It serves as MTA, WWW, and FTP (for = webpage=20 upload) server, and sits behind a NAT-ting router, which passes=20 ftp/www/smtp traffic to appropriate ports (under 'ideal' = conditions,=20 anyway). 
 
During a recent visit [after too long = an=20 absence] I discovered his bandwidth was totally eaten up=20 (ping>2 seconds to upstream server) and the cause was this box.  = Unusually named files appeared in /var/ftp/pub/pub, and /etc/group = showed that=20 guest had root privileges.  I removed the machine from the net = promptly and=20 began wiping the disk for a reinstall.  
 
Questions:
*Does the fact that the files were in = the public=20 ftp directory mean that Mr. Badguy came in via anonymous FTP, or did he = sniff a=20 user password floating unencrypted over the 'Net?
 
*What should I do if/when (God forbid) = this happens=20 again to give me (you?) more to analyze.....?
 
*Is there a better way [than FTP] to = have his=20 'webmaster' (page designer) upload pages to the site?
 
*I realize I'm probably a total idiot = who doesn't=20 deserve a root pw, but please don't hit me too hard, the last 'friend' = he had=20 gave him no mail service at all and had anonymous FTP login default = to=20 /wwwroot on his IIS server.  (Thanks, Nimda....)
 
Kevin Kinsey
------=_NextPart_000_03E2_01C175B9.CD39C780-- ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message