Date: Sat, 26 Oct 1996 03:44:10 +0100 (MET) From: Stefan Jakobsson <gorgon@katrinet.se> To: Rick Gray <rickg@nwpros.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Hackers Message-ID: <Pine.LNX.3.91.961026034000.439A-100000@calvin.katrinet.se> In-Reply-To: <1.5.4.32.19961025224330.00688860@nwpros.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Oct 1996, Rick Gray wrote: > Date: Fri, 25 Oct 1996 17:43:30 -0500 > From: Rick Gray <rickg@nwpros.com> > To: freebsd-isp@FreeBSD.ORG > Subject: Hackers > > I believe I know what my FTP problem is. After I rebooted I noticed several > people FTPing into the system, none who are customers. Looking at the > home/FTP/pub files shows nothing but when I did a ls -a it showed a hidden > file: ../ ../stevan. This is the file the hackers are retrieving. I can't > even delete the file or change the access. I must warn everyone of this. The > users use the email name of mozilla@ for the majority. > > So somehow when these guys come into my system, it screws up FTP. I disabled > FTP in inetd until I find a solution to this problem. I was told that > FreeBSD was very secure but now someone has found a loophole somewhere, I guess. > > Is there a way to deny these hackers access but allow my customers access? > Again, I am using wu_ftp and tcp_wrappers on my 2.0 system. I don't know how > to stop them other than not run FTP which of course is not acceptable. > > So everyone do a ps ax and check to see if anyone is FTPed into your system > as mozilla. Those are the majority of hackers I saw...I guess they all use > the same name. One last thing..they were not FTPing directly to me. They > were going through other machines to cover their tracks. I informed one > company of the problem but said they can't help since this person was not a > customer. I found that strange. They whould be able to see someoneusing > their system too. > > I hope I have warned enough of you. If you have a solution to my/our > problem, PLEASE let me know. I use FTP quite a bit along with seeveral of my > customers. > > Thanks. Hmmmmm.,..... You should look into if this is not in fact one of your users running an 'elite-service' in his home directory. Since it seems that most people into the illegal swapping of commercial swapping have started to use 'webbed' ftp (with password protection) and also standard FTP in hidden directories. I had to shut one of my users after finding cracked commercial software avail thru his web pages. Reg Stefan Jakobsson Katrinet ISP (Sweden)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.961026034000.439A-100000>