> At the moment I'm responsible for an ftp site which allows anonymous write
> access to a directory to allow development partners to upload files. They
> have also been hit with warez activity similar to FrogEater, which 1K and
> 1MB test files being uploaded, followed by various directories (.tmp,
> tagged, 010305102214p etc.) being created and warez uploaded. I wonder
> whether there is any way (perhaps using network/host ids signatures) to
> detect this sort of activity and block the intruding warez d00d, or at
least
> alert a sysadmin?
I was running a similar site; it allowed anon upload but not download.
I had lots of warez activity, the tools creating directories, and the
occasional d00d uploading before he realized he couldn't download again. I
finally configured my FTP daemon to log all commands and ran 'tail -f log |
program' where program looked for suspicious commands ('STOR 1mb', 'PASS
l33ch', etc. etc.) When it got a match it dropped the offender into
ipchains. The amount of time I spent cleaning up after them dropped
dramatically.
Unfortunately, I don't know of any FTP daemons that will do this on
their own. It would be a nice way to shut out the automated tools.
--
gowen -- Greg Owen -- gowenat_private
79A7 4063 96B6 9974 86CA 3BEF 521C 860F 5A93 D66D
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 13:11:02 PDT