From owner-freebsd-security Tue May 22 11:43:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.blinx.net (ns2.blinx.net [205.205.72.2]) by hub.freebsd.org (Postfix) with SMTP id CAF4037B43C for ; Tue, 22 May 2001 11:43:34 -0700 (PDT) (envelope-from wacky@blinx.net) Received: (qmail 95868 invoked from network); 22 May 2001 05:42:32 -0000 Received: from ce3021279-b.montvlle1.ct.home.com (HELO home) (65.11.228.19) by www.blinx.net with SMTP; 22 May 2001 05:42:32 -0000 Message-ID: <003601c0e2ee$b006bfa0$0700a8c0@com.home.com> From: "Mike" To: "Chojin" , Cc: References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> Subject: Is there a ftp vuln in 4.3-STABLE Date: Tue, 22 May 2001 14:40:33 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, My webhosting server I believe recently got hacked. I logged in via ftp using freebsd 4.3-stable stock ftpd and it went directly to /usr/home/ftp and i will paste below what it has. I updated from 4.2-stable to 4.3-stable after the glob() patch came out. So I dont believe that its because of the glob vuln. .010512105058p 010513050858p 010515163904p 010515163907p 010520053658p 010520053659p 010520053700p 010520053701p 010520053702p 010520053709p 1mbtest.ptf frdfakAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)?P??P??)?P?fish)? f?IF1?V?I???1?V??PTPTS?;P?? pufpafAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)?P??P??)?P?fish)? f?IF1?V?I???1?V??PTPTS?;P?? ???? Tagged By Wizardz Fxp ???? -Mike -Blinx Networks ----- Original Message ----- From: "Chojin" To: Sent: Tuesday, May 22, 2001 8:05 AM Subject: IPF Rule problem > In my rules I put this: > pass out quick proto tcp from any to any keep state > pass out quick proto udp from any to any keep state > pass out quick proto icmp from any to any keep state > block out quick all > > (123.123.123.123 is an example) > pass in quick proto tcp from any to any port = 23 keep state > ... > block in log quick all > > When I use telnet -s 192.168.69.1 123.123.123.123 it works > telnet -s 127.0.0.1 123.123.123.123 works too > telnet -s 123.123.123.123 123.123.123.123 doesn't work > > Why ? > > Regards. > > Chojin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message