[H-GEN] FTP login by wtmp?

Everist, Geoff everistg at switch.aust.com
Tue Aug 17 02:12:18 EDT 1999 

[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]

A salutory lesson to all those out there with a standard RedHat
installation...turn off your ftp daemon (if you have wu-ftp installed) _now_
and/or find another one. And...turn off (or limit access to) anything else
connected to the outside world that you do not absolutely need.

The login was exploiting what appears to be a backdoor (the user wtmp), and
a buffer overflow (thus the strange file in ftp/pub) within wu-ftpd. The
upshot is the attacker managed to get root access to our system via wu-ftpd,
and then installed and fired up IRC proxy software (on port 40,000), along
with a few nasty Windows NT/98 DoS utilities which s/he was probably using
in some pointless IRC war. They also installed a script for altering log
files to cover their tracks. AFAIK we were using the latest available
wu-fptd for RH5.2 from the RH website...needless to say we are looking for a
new one.

Fortunately, they only ran the script on the ftp xferlog, and did not bother
with the system log or with the ippl log, so we have a complete audit trail
of their access attempts. Which leads me to believe that the attacker(s) was
only a scriptkiddy. The attacker was not smart enough to use IP spoofing
either; we think we have tracked the lowlife back to a dial-up connection at
their ISP.

We are now in the process of combing through our system auditing all files
that have changed since the original attack. Any other suggestions from the
more security savvy HUMBUGers will be most welcome. Oh...and I think we will
be installing Tripwire or a variant in the very near future!

Cheers
Geoff Everist

> -----Original Message-----
> From: Marshall, Joshua [mailto:MarshallJ at switch.aust.com]
> Sent: Monday, 16 August 1999 11:21
> To: general at lists.humbug.org.au
> Subject: RE: [H-GEN] FTP login by wtmp?
> 
> 
> [ Humbug *General* list - semi-serious discussions about Humbug and
> Unix-related[1] topics. ]
> 
> > Depending on what's in the other log files it probably means 
> > somebody opened
> > a socket but did nothing: you may have just been scanned 
> and no more.
> 
> They actually did get in, and they created a directory in my ftp/pub
> directory and put a file in there (which was crap anyway, 'cause the
> filename was a heap of ?'s)
> 
> > b. Tell ipfw or ipchains to deny all but the machines who're 
> > allowed to
> > connect.
> 
> Yeah that sounds the best option.  I'd still like to know if 
> there is a
> security hole in that ftpd.  It's version wu-2.5.0(1)
> 
> Or whether it's possible to log in with the wtmp user (who 
> doesn't have an
> entry in the passwd file)
> 
> Cheers,
> Josh.
> 
> --
> This is list (humbug) general handled by 
> majordomo at lists.humbug.org.au .
> Postings only from subscribed addresses of lists general or 
> general-post.
> [1] Just for Jason.
> 

--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.

More information about the General mailing list