> At the moment I'm responsible for an ftp site which allows anonymous write > access to a directory to allow development partners to upload files. They > have also been hit with warez activity similar to FrogEater, which 1K and > 1MB test files being uploaded, followed by various directories (.tmp, > tagged, 010305102214p etc.) being created and warez uploaded. I wonder > whether there is any way (perhaps using network/host ids signatures) to > detect this sort of activity and block the intruding warez d00d, > or at least > alert a sysadmin? > > Any ideas? > > Richard Bartlett > Hacker Immunity Ltd > > (I'm currently working on setting up permissions so the uploadable > directories are execute only; i.e. you can't see it in dir/ls, but you can > cd to it, and the dir names will be suitably obscure to prevent them being > guessed). I've been testing Chris Evan's new vsftpd server, with good results. It solves this problem very neatly, no need to make the upload directory unreadable, or to play cat-and-mouse games with directory names. Files uploaded by the anonymous user can be chowned to another user, and you can prohibit anonymously-created directories without prohibiting all anonymous writes. Get it from: ftp://ferret.lmh.ox.ac.uk/pub/linux/vsftpd-0.9.0.tar.gz. I am probably going to put it into production RSN. One of its best features is the ability to chroot some users but not others, and you never have to set up /dev trees and libraries in any chroot area. My current ftp servers run Wietse Venema's ftpd from his logdaemon package: ftp://ftp.porcupine.org/pub/security/logdaemon-5.11.tar.gz. It chmods anonymous files and directories to 0044, so the anonymous user can't do anything with them. I see a lot of these directories appearing on my ftp server's upload directory too, but they are always empty. --- ALL YOUR BASE ARE BELONG TO US SOMEBODY SET UP US THE BOMB
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 15:45:11 PDT