[H-GEN] FTP login by wtmp?
Everist, Geoff
everistg at switch.aust.com
Sun Aug 22 21:38:05 EDT 1999
[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]
[snip]
> -----Original Message-----
> From: Everist, Geoff [mailto:everistg at switch.aust.com]
> Sent: Tuesday, 17 August 1999 16:12
> To: general at lists.humbug.org.au
> Subject: RE: [H-GEN] FTP login by wtmp?
>
>
> [ Humbug *General* list - semi-serious discussions about Humbug and
> Unix-related topics. ]
>
> A salutory lesson to all those out there with a standard RedHat
> installation...turn off your ftp daemon (if you have wu-ftp
> installed) _now_
> and/or find another one. And...turn off (or limit access to)
> anything else
> connected to the outside world that you do not absolutely need.
>
> The login was exploiting what appears to be a backdoor (the
> user wtmp), and
> a buffer overflow (thus the strange file in ftp/pub) within
> wu-ftpd. The
> upshot is the attacker managed to get root access to our
> system via wu-ftpd,
> and then installed and fired up IRC proxy software (on port
> 40,000), along
> with a few nasty Windows NT/98 DoS utilities which s/he was
> probably using
Blah, blah, blah...
[snip]
<RANT>
Well, the clean up is almost complete and we are up and running again. We
decided to do a complete re-build of the affected machine, change passwords,
tighten up access, etc, etc. The script-kiddie that got in had done some
nasty stuff, including installation of a ps trojan (to hide the processes
that had been installed), installation and execution of network sniffer
software (if you ever see "going into promiscuous mode" in you system logs,
panic), and installation of log modification scripts, so we figured it was
safer to rebuild the entire system from scratch :-(. Thanks to Humbug
members who helped with advice.
Anyway, what _really_ annoys me is the lack of action from the ISP through
which our little script-kiddie attacked. The ISP was ihug.co.nz. A detailed
email was sent to their abuse team on August 17 (Tuesday), with a follow-up
the next day. I tried calling the ISP in NZ to talk to a sysop, but nobody
would put me through. I still don't even have acknowledgement from
ihug.co.nz that they have received the email, let alone any indication that
they are investigating the complaint. In desperation I tried to get in
contact with their Australian operation, and at least got an acknowledgement
from them (but no further investigation). I have sent a further follow-up
today (as a result of further access attempts), but I am not holding my
breath.
Now...I do not work for an ISP, so I am not aware of the pressures and
priorities that are experienced by the sysops, but on the surface, this
looks pretty piss-poor. Is it unreasonable to expect some sort of response
to a complaint of this nature, especially when it could indicate that the
ISP may have been compromised themselves? If it was a complaint about a
simple portscan, or an attempted telnet access then I would not be too
concerned about a lack of response, but this is different.
If I had an account on this particular ISP, I would be checking my invoices
_very_ carefully!
</RANT>
I would be interested in the general perspective from the point of view of
an ISP Sysop...
Is this something that should be taken seriously by an ISP?
Is it reasonable to expect a response to such an abuse report, and if so,
what would be the maximum time for the response?
Is there now so much noise generated by people reporting abuse that there
simply is not enough time to investigate and respond any more?
Is there anything else I can do to get their attention (within reasonable
bounds, of course)?
Cheers
Geoff Everist
--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.
More information about the General
mailing list