Firewall Wizards mailing list archives
RE: [OT?] Anybody Recognize These Uploads?
From: Bruce Platt <Bruce () ei3 com>
Date: Thu, 26 Dec 2002 09:12:10 -0500
In addition to what's been posted already, there are several other things to do in setting up an anon ftp server which allows the anon user to upload: 1. Protect the incoming directory so that it can't be ls'ed. This doesn't stop the people who dropped off things and know the names of what they dropped off, but it stops the casual user from looking to see what's there. 2. If you have to use an incoming directory, time limit how long things can stay there by emptying it our periodically with a cron job. 3. Set a quota on the directory, or place it in a file system "just-big-enough" to hold what you expect to get. This keeps the bad guys from filling up your file system. 4. Create subdirectories with carefully crafted names, known by the legitimate upload users with appropriate protections. For 3 and 4 see http://www.cert.org/tech_tips/anonymous_ftp_config.html Also, if you can it's never a bad practice to edit your ftpaccess file if using wuftpd and disallow anonymous entirely. Regards,
-----Original Message----- From: jseymour () LinxNet com [mailto:jseymour () LinxNet com] Sent: Tuesday, December 24, 2002 9:06 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] [OT?] Anybody Recognize These Uploads? Hi All, Maybe kind of off-topic, maybe not. My FTP server at home allows sand-boxed FTP uploads [1]. Occasionally I see things in there with all-numeric filenames. They seem to be some kind of unidentified [2] data. They're all the same size. Here's what's there currently: $ ls -l [0-9]* -rw-rw-r-- 1 ftp ftp 104154 Dec 20 18:21 389.204 -rw-rw-r-- 1 ftp ftp 104154 Dec 21 09:27 449.833 -rw-rw-r-- 1 ftp ftp 104154 Dec 24 08:15 57.605 -rw-rw-r-- 1 ftp ftp 104154 Nov 29 13:30 689.279 -rw-rw-r-- 1 ftp ftp 104154 Dec 23 12:31 881.787 With one exception, these all came from dip.t-dialin.net space. The other came from gte.net space. All users anon logged in as "ano () ano com." I long ago disallowed FTP access by wanadoo.fr users due to wide-spread FTP abuse from that space and poor abuse handling by wanadoo.fr. I'm wondering if this isn't the same kind of thing? [1] FTP "incoming" directory is write-only. Users can't even get a directory listing and file over-writes are prohibited. [2] Unidentified by "file mumble" Thanks, Jim -- Jim Seymour | PGP Public Key available at: jseymour () LinxNet com | http://www.uk.pgp.net/pgpnet/pks-commands.html http://jimsun.LinxNet.com | _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [OT?] Anybody Recognize These Uploads? Jim Seymour (Dec 24)
- RE: [OT?] Anybody Recognize These Uploads? Bill Royds (Dec 24)
- <Possible follow-ups>
- Re: [OT?] Anybody Recognize These Uploads? Eric N. Valor (Dec 25)
- Re: Re: [OT?] Anybody Recognize These Uploads? Henning Brauer (Dec 25)
- RE: Re: [OT?] Anybody Recognize These Uploads? Noonan, Wesley (Dec 25)
- Re: Re: [OT?] Anybody Recognize These Uploads? Henning Brauer (Dec 25)
- Re: Re: [OT?] Anybody Recognize These Uploads? R. DuFresne (Dec 25)
- fp3 upgrade for nokia simon (Dec 26)
- Re: Re: [OT?] Anybody Recognize These Uploads? Henning Brauer (Dec 25)
- RE: Re: [OT?] Anybody Recognize These Uploads? Christine Kronberg (Dec 27)
- RE: [OT?] Anybody Recognize These Uploads? Bruce Platt (Dec 26)