From owner-freebsd-security  Sun Nov 25 12:20:16 2001
Delivered-To: freebsd-security@freebsd.org
Received: from elvis.mu.org (elvis.mu.org [216.33.66.196])
	by hub.freebsd.org (Postfix) with ESMTP id 635E737B405
	for <freebsd-security@freebsd.org>; Sun, 25 Nov 2001 12:20:11 -0800 (PST)
Received: by elvis.mu.org (Postfix, from userid 1192)
	id EE86A81D2D; Sun, 25 Nov 2001 14:20:05 -0600 (CST)
Date: Sun, 25 Nov 2001 14:20:05 -0600
From: Alfred Perlstein <bright@mu.org>
To: Kevin & Anita Kinsey <k_a_kinsey@netzero.net>
Cc: freebsd-security@freebsd.org
Subject: Re: analysis of attack ??
Message-ID: <20011125142005.D13393@elvis.mu.org>
References: <03e501c175ec$19332b40$d5f35b41@musicstudio>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <03e501c175ec$19332b40$d5f35b41@musicstudio>; from k_a_kinsey@netzero.net on Sun, Nov 25, 2001 at 02:02:21PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

* Kevin & Anita Kinsey <k_a_kinsey@netzero.net> [011125 14:00] wrote:
> 
> Questions:
> *Does the fact that the files were in the public ftp directory
> mean that Mr. Badguy came in via anonymous FTP, or did he sniff a
> user password floating unencrypted over the 'Net?

That's really not possible to determine for sure, even if your
ftp site configuration data was available.

> *What should I do if/when (God forbid) this happens again to give
> me (you?) more to analyze.....?

Keeping better logfiles would be good, setting them immutable or
having them sent to a completely seperate machine or even to a
printer could work and hopefully keep the log entries from being
altered.

> *Is there a better way [than FTP] to have his 'webmaster' (page
> designer) upload pages to the site?

Actually I recently saw that _finally_ they came out with a 
client that does ftp over ssh.  I think DataFellows has such a client
you should check it out.

> *I realize I'm probably a total idiot who doesn't deserve a root
> pw, but please don't hit me too hard, the last 'friend' he had gave
> him no mail service at all and had anonymous FTP login default to
> /wwwroot on his IIS server.  (Thanks, Nimda....)

Being proactive and knowing when to ask for help speaks a lot for
you, however it would probably make sense for you to hire a decent
consultant, take a look at the commercial consultants available on
www.freebsd.org or www.bsdmall.com (they offer training last i
checked).

best of luck,
-- 
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
 start asking why software is ignoring 30 years of accumulated wisdom.'
                           http://www.morons.org/rants/gpl-harmful.php3

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message