Bug 19106 - Security problem with Anonymous FTP
Security problem with Anonymous FTP
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: wu-ftpd (Show other bugs)
6.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
Dale Lovelace
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-14 09:27 EDT by Krisztian Danko
Modified: 2007-03-26 23:36 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-16 07:38:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
These are the entries from /etc/messages (3.86 KB, text/plain)
2000-10-14 09:29 EDT, Krisztian Danko
no flags Details

  None (edit)
Description Krisztian Danko 2000-10-14 09:27:16 EDT
My server has recently been broken into using the anonymous FTP service.
I don't know how it was done but the following happened according to
/etc/messages:

The hacker logged in using anonymous FTP and put in something binary
as the password

The password for one of the users was changed then the hacker logged in
using that username and ran the "su" command to become root

syslogd was restarted

From this point on, logging was turned off on the server, and the
su command didn't work any more.

Two days later I set up the firewall rules to disable everything from
outside except DNS, POP3 and ICMP. I haven't seen any more attacks since.

I also noticed that the following programs were replaced:

/bin/ls
/bin/su
/sbin/syslogd

(And I am still looking for more)

If this is a new bug, could you please contact me at
kdanko@slofstra.com and I will send you
the log entries. I also made a copy of the hacker's /bin/ls command.
Comment 1 Krisztian Danko 2000-10-14 09:29:53 EDT
Created attachment 4164 [details]
These are the entries from /etc/messages
Comment 2 Bernhard Rosenkraenzer 2000-10-15 08:54:08 EDT
Are you certain the cracker got in over anonymous ftp? I've just proofread the code, I can't find anything that could cause this (in wu-ftpd 2.6.1 from updates).

If you're running a version prior to 2.6.1, it's a known problem (the user logs in as anything, then issues a couple of broken commands).
Comment 3 Krisztian Danko 2000-10-16 07:38:52 EDT
I am running 2.6.0
Comment 4 Bernhard Rosenkraenzer 2000-10-16 07:42:09 EDT
Update to 2.6.1 please; 2.6.0 has at least 2 known security problems.

Note You need to log in before you can comment on or make changes to this bug.