Date: Sun, 25 Nov 2001 14:02:21 -0600 From: "Kevin & Anita Kinsey" <k_a_kinsey@netzero.net> To: <freebsd-security@freebsd.org> Subject: analysis of attack ?? Message-ID: <03e501c175ec$19332b40$d5f35b41@musicstudio>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_03E2_01C175B9.CD39C780 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable A hobbyist (me) recently set up a FreeBSD box for a friend's SOHO. It = serves as MTA, WWW, and FTP (for webpage upload) server, and sits behind = a NAT-ting router, which passes ftp/www/smtp traffic to appropriate = ports (under 'ideal' conditions, anyway). =20 During a recent visit [after too long an absence] I discovered his = bandwidth was totally eaten up (ping>2 seconds to upstream server) and = the cause was this box. Unusually named files appeared in = /var/ftp/pub/pub, and /etc/group showed that guest had root privileges. = I removed the machine from the net promptly and began wiping the disk = for a reinstall. =20 Questions: *Does the fact that the files were in the public ftp directory mean that = Mr. Badguy came in via anonymous FTP, or did he sniff a user password = floating unencrypted over the 'Net? *What should I do if/when (God forbid) this happens again to give me = (you?) more to analyze.....? *Is there a better way [than FTP] to have his 'webmaster' (page = designer) upload pages to the site? *I realize I'm probably a total idiot who doesn't deserve a root pw, but = please don't hit me too hard, the last 'friend' he had gave him no mail = service at all and had anonymous FTP login default to /wwwroot on his = IIS server. (Thanks, Nimda....) Kevin Kinsey ------=_NextPart_000_03E2_01C175B9.CD39C780 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>A hobbyist (me) recently set up a = FreeBSD box=20 for a friend's SOHO. It serves as MTA, WWW, and FTP (for = webpage=20 upload) server, and sits behind a NAT-ting router, which passes=20 ftp/www/smtp traffic to appropriate ports (under 'ideal' = conditions,=20 anyway). </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>During a recent visit [after too long = an=20 absence] I discovered his bandwidth was totally eaten up=20 (ping>2 seconds to upstream server) and the cause was this box. = Unusually named files appeared in /var/ftp/pub/pub, and /etc/group = showed that=20 guest had root privileges. I removed the machine from the net = promptly and=20 began wiping the disk for a reinstall. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Questions:</FONT></DIV> <DIV><FONT face=3DArial size=3D2>*Does the fact that the files were in = the public=20 ftp directory mean that Mr. Badguy came in via anonymous FTP, or did he = sniff a=20 user password floating unencrypted over the 'Net?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>*What should I do if/when (God forbid) = this happens=20 again to give me (you?) more to analyze.....?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>*Is there a better way [than FTP] to = have his=20 'webmaster' (page designer) upload pages to the site?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>*I realize I'm probably a total idiot = who doesn't=20 deserve a root pw, but please don't hit me too hard, the last 'friend' = he had=20 gave him no mail service at all and had anonymous FTP login default = to=20 /wwwroot on his IIS server. (Thanks, Nimda....)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Kevin Kinsey</FONT></DIV></BODY></HTML> ------=_NextPart_000_03E2_01C175B9.CD39C780-- ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03e501c175ec$19332b40$d5f35b41>