Security Incidents mailing list archives
Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)]
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 18 Jan 2001 11:21:43 +1300
On Wed, 17 Jan 2001 18:14:13 +0100 Bernhard Rosenkraenzer <bero () REDHAT DE> wrote:
On Wed, 17 Jan 2001, Douglas P. Brown wrote: There's a bug in this analysis of the worm:All I see is it adding the lines "ftp" and "anonymous" to /etc/ftpusers. Maybe the creator just wants ftp sites.If so, the creator is badly mistaken about the meaning of /etc/ftpusers. ftpusers is the list of users who may *not* log in. Considering he's also replacing index.html files with nonsense, it's most likely part of a denial of service attack, intentionally closing anonftp.
No he is securing the machine against another compromise. This worm exploits the site exec bug, (please correct me if I am wrong) to do this you need to be logged into ftp, either anonymously or as a real user. By adding "ftp" and "anonymous" to /etc/ftpusers he effectively disables anonymous ftp and thus stops anyone else from exploiting the bug. We had several machines attacked and the attack succeeded only against those machines with anonymous ftp. Cheers, Russell Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] Bernhard Rosenkraenzer (Jan 17)
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] slim bones (Jan 17)
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] Jeffrey F. Lawhorn (Jan 17)
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] Russell Fulton (Jan 17)