RE: 'FrogEater'

["Mike Batchelor" <mikebat () tmcs net>]

> At the moment I'm responsible for an ftp site which allows anonymous write
> access to a directory to allow development partners to upload files.  They
> have also been hit with warez activity similar to FrogEater, which 1K and
> 1MB test files being uploaded, followed by various directories (.tmp,
> tagged, 010305102214p etc.) being created and warez uploaded.  I wonder
> whether there is any way (perhaps using network/host ids signatures) to
> detect this sort of activity and block the intruding warez d00d,
> or at least
> alert a sysadmin?
>
> Any ideas?
>
> Richard Bartlett
> Hacker Immunity Ltd
>
> (I'm currently working on setting up permissions so the uploadable
> directories are execute only; i.e. you can't see it in dir/ls, but you can
> cd to it, and the dir names will be suitably obscure to prevent them being
> guessed).

I've been testing Chris Evan's new vsftpd server, with good results.  It
solves this problem very neatly, no need to make the upload directory
unreadable, or to play cat-and-mouse games with directory names.  Files
uploaded by the anonymous user can be chowned to another user, and you can
prohibit anonymously-created directories without prohibiting all anonymous
writes.  Get it from:
ftp://ferret.lmh.ox.ac.uk/pub/linux/vsftpd-0.9.0.tar.gz.  I am probably
going to put it into production RSN.  One of its best features is the
ability to chroot some users but not others, and you never have to set up
/dev trees and libraries in any chroot area.

My current ftp servers run Wietse Venema's ftpd from his logdaemon package:
ftp://ftp.porcupine.org/pub/security/logdaemon-5.11.tar.gz.  It chmods
anonymous files and directories to 0044, so the anonymous user can't do
anything with them.  I see a lot of these directories appearing on my ftp
server's upload directory too, but they are always empty.

---
ALL YOUR BASE ARE BELONG TO US
 SOMEBODY SET UP US THE BOMB