On Wed, 14 Apr 1999, Stu Alchor wrote: > I'm a system administrator of a educational domain which deals with > ... > But what took my attention is that he had a script called ftp-w0rm.tgz > which was able to look for ftpd bug around the world, exploit it and > reproduce the script like the worm. We found out that once the worm gets > in a new host, it will install a backdoor (bindcode) in the port 31337 > and starts the new scan. By taking a look at the time stamp, the intruder > is running this toy since march. I sent a message related to this two weeks ago which Aleph (evidently) chose not to post. The message and associated programs/documents is at http://blue.ils.unc.edu/Apr1/hack/ (blue-bugtraq.txt is the post). This program, like ADMwuftpd.c, exploits WRITE-able directories on your Linux FTP server. It then uses a hole in wu-ftpd (found in all versions, including the VR patches) to get a root shell. The program you included, Stu, seems to combine the scanning for a writable directory with the exploit. ADMwuftpd.c, which was posted to Bugtraq around the end of March, needs to be told where to run the exploit. Other programs (a few are available) actually look for writable directories. The hole is a buffer overflow for very long directory names. >From there, everything's easy... the program which started out as a remote FTP connection ends up as a root shell to the remote machine. You don't even get logged, because it's not an actual login. But the intruder could, of course, set up a username or do anything else s/he chooses. You mentioned that a backdoor was installed...sure, that's viable. Once you get that root shell, anything is fair game. The solution is simply to not have any world writeable directories under your anonymous FTP tree. This is good policy anyway, regardless of this particular exploit, because a world writeable directory is just an invitation for your site to be turned into a warez distribution point. -- Greg // Gregory B. Newby, Assistant Professor in the School of Information // and Library Science, University of North Carolina at Chapel Hill // CB# 3360 Manning Hall, Chapel Hill, NC, 27599-3360 E: gbnewbyat_private // V: 919-962-8064 F: 919-962-8071 W: http://www.ils.unc.edu/~gbnewby/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:26 PDT