Firewall Wizards mailing list archives

RE: [OT?] Anybody Recognize These Uploads?

From: Bruce Platt <Bruce () ei3 com>
Date: Thu, 26 Dec 2002 09:12:10 -0500

In addition to what's been posted already, there are several other things to
do in setting up an anon ftp server which allows the anon user to upload:

1. Protect the incoming directory so that it can't be ls'ed.  This doesn't
stop the people who dropped off things and know the names of what they
dropped off, but it stops the casual user from looking to see what's there.

2. If you have to use an incoming directory, time limit how long things can
stay there by emptying it our periodically with a cron job.

3. Set a quota on the directory, or place it in a file system
"just-big-enough" to hold what you expect to get.  This keeps the bad guys
from filling up your file system.

4. Create subdirectories with carefully crafted names, known by the
legitimate upload users with appropriate protections.

For 3 and 4 see http://www.cert.org/tech_tips/anonymous_ftp_config.html

Also, if you can it's never a bad practice to edit your ftpaccess file if
using wuftpd and disallow anonymous entirely.

Regards,

-----Original Message-----
From: jseymour () LinxNet com [mailto:jseymour () LinxNet com]
Sent: Tuesday, December 24, 2002 9:06 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] [OT?] Anybody Recognize These Uploads?

Hi All,

Maybe kind of off-topic, maybe not.

My FTP server at home allows sand-boxed FTP uploads [1].  Occasionally
I see things in there with all-numeric filenames.  They seem 
to be some
kind of unidentified [2] data.  They're all the same size.  Here's
what's there currently:

$ ls -l [0-9]* 
-rw-rw-r--   1 ftp      ftp       104154 Dec 20 18:21 389.204
-rw-rw-r--   1 ftp      ftp       104154 Dec 21 09:27 449.833
-rw-rw-r--   1 ftp      ftp       104154 Dec 24 08:15 57.605
-rw-rw-r--   1 ftp      ftp       104154 Nov 29 13:30 689.279
-rw-rw-r--   1 ftp      ftp       104154 Dec 23 12:31 881.787

With one exception, these all came from dip.t-dialin.net space.  The
other came from gte.net space.  All users anon logged in as
"ano () ano com."

I long ago disallowed FTP access by wanadoo.fr users due to 
wide-spread
FTP abuse from that space and poor abuse handling by wanadoo.fr.  I'm
wondering if this isn't the same kind of thing?

[1] FTP "incoming" directory is write-only.  Users can't even get a
    directory listing and file over-writes are prohibited.
[2] Unidentified by "file mumble"

Thanks,
Jim
-- 
Jim Seymour                  | PGP Public Key available at:
jseymour () LinxNet com         | 
http://www.uk.pgp.net/pgpnet/pks-commands.html
http://jimsun.LinxNet.com    |
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

[OT?] Anybody Recognize These Uploads? Jim Seymour (Dec 24)
- RE: [OT?] Anybody Recognize These Uploads? Bill Royds (Dec 24)
- <Possible follow-ups>
- Re: [OT?] Anybody Recognize These Uploads? Eric N. Valor (Dec 25)
  - Re: Re: [OT?] Anybody Recognize These Uploads? Henning Brauer (Dec 25)
- RE: Re: [OT?] Anybody Recognize These Uploads? Noonan, Wesley (Dec 25)
  - Re: Re: [OT?] Anybody Recognize These Uploads? Henning Brauer (Dec 25)
    - Re: Re: [OT?] Anybody Recognize These Uploads? R. DuFresne (Dec 25)
    - fp3 upgrade for nokia simon (Dec 26)
  - RE: Re: [OT?] Anybody Recognize These Uploads? Christine Kronberg (Dec 27)
- RE: [OT?] Anybody Recognize These Uploads? Bruce Platt (Dec 26)