Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 25 Nov 2001 14:20:05 -0600
From:      Alfred Perlstein <bright@mu.org>
To:        Kevin & Anita Kinsey <k_a_kinsey@netzero.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: analysis of attack ??
Message-ID:  <20011125142005.D13393@elvis.mu.org>
In-Reply-To: <03e501c175ec$19332b40$d5f35b41@musicstudio>; from k_a_kinsey@netzero.net on Sun, Nov 25, 2001 at 02:02:21PM -0600
References:  <03e501c175ec$19332b40$d5f35b41@musicstudio>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Kevin & Anita Kinsey <k_a_kinsey@netzero.net> [011125 14:00] wrote:
> 
> Questions:
> *Does the fact that the files were in the public ftp directory
> mean that Mr. Badguy came in via anonymous FTP, or did he sniff a
> user password floating unencrypted over the 'Net?

That's really not possible to determine for sure, even if your
ftp site configuration data was available.

> *What should I do if/when (God forbid) this happens again to give
> me (you?) more to analyze.....?

Keeping better logfiles would be good, setting them immutable or
having them sent to a completely seperate machine or even to a
printer could work and hopefully keep the log entries from being
altered.

> *Is there a better way [than FTP] to have his 'webmaster' (page
> designer) upload pages to the site?

Actually I recently saw that _finally_ they came out with a 
client that does ftp over ssh.  I think DataFellows has such a client
you should check it out.

> *I realize I'm probably a total idiot who doesn't deserve a root
> pw, but please don't hit me too hard, the last 'friend' he had gave
> him no mail service at all and had anonymous FTP login default to
> /wwwroot on his IIS server.  (Thanks, Nimda....)

Being proactive and knowing when to ask for help speaks a lot for
you, however it would probably make sense for you to hire a decent
consultant, take a look at the commercial consultants available on
www.freebsd.org or www.bsdmall.com (they offer training last i
checked).

best of luck,
-- 
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
 start asking why software is ignoring 30 years of accumulated wisdom.'
                           http://www.morons.org/rants/gpl-harmful.php3

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011125142005.D13393>