Security Incidents mailing list archives
RE: 'FrogEater'
From: "Mike Batchelor" <mikebat () tmcs net>
Date: Wed, 16 May 2001 15:44:52 -0700
At the moment I'm responsible for an ftp site which allows anonymous write access to a directory to allow development partners to upload files. They have also been hit with warez activity similar to FrogEater, which 1K and 1MB test files being uploaded, followed by various directories (.tmp, tagged, 010305102214p etc.) being created and warez uploaded. I wonder whether there is any way (perhaps using network/host ids signatures) to detect this sort of activity and block the intruding warez d00d, or at least alert a sysadmin? Any ideas? Richard Bartlett Hacker Immunity Ltd (I'm currently working on setting up permissions so the uploadable directories are execute only; i.e. you can't see it in dir/ls, but you can cd to it, and the dir names will be suitably obscure to prevent them being guessed).
I've been testing Chris Evan's new vsftpd server, with good results. It solves this problem very neatly, no need to make the upload directory unreadable, or to play cat-and-mouse games with directory names. Files uploaded by the anonymous user can be chowned to another user, and you can prohibit anonymously-created directories without prohibiting all anonymous writes. Get it from: ftp://ferret.lmh.ox.ac.uk/pub/linux/vsftpd-0.9.0.tar.gz. I am probably going to put it into production RSN. One of its best features is the ability to chroot some users but not others, and you never have to set up /dev trees and libraries in any chroot area. My current ftp servers run Wietse Venema's ftpd from his logdaemon package: ftp://ftp.porcupine.org/pub/security/logdaemon-5.11.tar.gz. It chmods anonymous files and directories to 0044, so the anonymous user can't do anything with them. I see a lot of these directories appearing on my ftp server's upload directory too, but they are always empty. --- ALL YOUR BASE ARE BELONG TO US SOMEBODY SET UP US THE BOMB
Current thread:
- Re: 'FrogEater' James W. Abendschan (May 16)
- RE: 'FrogEater' Richard Bartlett (May 16)
- RE: 'FrogEater' Mike Batchelor (May 17)
- Re: 'FrogEater' Greg Owen (May 17)
- RE: 'FrogEater' Richard Bartlett (May 16)