From owner-freebsd-security  Mon Nov 26  5:20: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131])
	by hub.freebsd.org (Postfix) with ESMTP id 83E2237B416
	for <freebsd-security@freebsd.org>; Mon, 26 Nov 2001 05:20:02 -0800 (PST)
Received: from [194.97.50.138] (helo=mx0.freenet.de)
	by mout0.freenet.de with esmtp (Exim 3.33 #3)
	id 168Lg1-0006O2-00; Mon, 26 Nov 2001 14:20:01 +0100
Received: from aabb4.pppool.de ([213.6.171.180] helo=Magelan.Leidinger.net)
	by mx0.freenet.de with esmtp (Exim 3.33 #3)
	id 168Lg0-00073O-00; Mon, 26 Nov 2001 14:20:00 +0100
Received: from Leidinger.net (netchild@localhost [127.0.0.1])
	by Magelan.Leidinger.net (8.11.6/8.11.6) with ESMTP id fAQCDkK02743;
	Mon, 26 Nov 2001 13:13:47 +0100 (CET)
	(envelope-from netchild@Leidinger.net)
Message-Id: <200111261213.fAQCDkK02743@Magelan.Leidinger.net>
Date: Mon, 26 Nov 2001 13:13:44 +0100 (CET)
From: Alexander Leidinger <Alexander@Leidinger.net>
Subject: Re: analysis of attack ??
To: k_a_kinsey@netzero.net
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <03e501c175ec$19332b40$d5f35b41@musicstudio>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 25 Nov, Kevin & Anita Kinsey wrote:

> Questions:
> *Does the fact that the files were in the public ftp directory mean
> that Mr. Badguy came in via anonymous FTP, or did he sniff a user
> password floating unencrypted over the 'Net?

Any chance the box also allowed telnet access (depending on which
version of FreeBSD you had running on it, they may used an exploit for
it)?
Which FTP server software are you using (proftpd and wu-ftpd are known
to have had a lot of exploitable bugs, if your friend can life with the
base ftpd you better switch to it)?

> *What should I do if/when (God forbid) this happens again to give me
> (you?) more to analyze.....?

You should also tell us the names and versions of used software.

> *Is there a better way [than FTP] to have his 'webmaster' (page
> designer) upload pages to the site?

This depends on his webmaster, if he didn't fears the commandline and
you are able to find the programs for the platform he uses: rsync
(/usr/ports/net/rsync) over ssh.

Bye,
Alexander.

-- 
              The best things in life are free, but the
                expensive ones are still worth a look.

http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message