Hello, today I got about 50 messages like the following in /var/log/messages: Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227 Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed ... and it's still going on! What could be the deeper meaning, when someone it making connections the whole day long? Any hint is appreciated! Peter P.S.: I'm running wu-2.4.2-academ[BETA-18](1) -- Peter Münster http://w3pm.stormloader.com/
Hello, today I got about 50 messages like the following in /var/log/messages: Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227 Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed ... and it's still going on! What could be the deeper meaning, when someone it making connections the whole day long? Any hint is appreciated! Peter
WuFTPD has more security holes then a .... well actually it's in my top 10 for "most insecure software ever written and maintained". There are _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if someone had a gun to my head.
P.S.: I'm running wu-2.4.2-academ[BETA-18](1)
Then it's time to shutdown the box, look for signs of intrusion and probably do a clean install. WuFTPD 2.6.1 is the latest, all previous versions have a variety of nasty security problems (like granting remote root access to attackers). ProFTPD. It's much better. http://www.proftpd.net/
-- Peter Münster
Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
On Sat, 7 Oct 2000, Kurt Seifried wrote:
today I got about 50 messages like the following in /var/log/messages: Oct 7 10:11:51 gmv wu.ftpd[14694]: connect from 211.56.234.227 Oct 7 10:11:51 gmv ftpd[14694]: FTP session closed ... and it's still going on! What could be the deeper meaning, when someone it making connections the whole day long? ^^--(is)
Some more details: one first connection for about 4 seconds Oct 7 03:06:10 gmv wu.ftpd[8685]: connect from 211.56.234.227 Oct 7 03:06:14 gmv ftpd[8685]: FTP session closed And then, from 7.35 on, a connection of about 0 seconds every 4 minutes. Now the connections are refused by /etc/hosts.deny, but it's still going on: Oct 7 12:07:09 gmv wu.ftpd[15227]: refused connect from 211.56.234.227
WuFTPD has more security holes then a .... well actually it's in my top 10 for "most insecure software ever written and maintained". There are _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if someone had a gun to my head.
Ok, I used it only because of Thomas' letter in june (http://lists.suse.com/archives/suse-security/2000-Jun/0167.html)...
Then it's time to shutdown the box, look for signs of intrusion and probably
I really can't find any hint of intrusion... I am going to try to take a look at the traffic (perhaps with tcpdump?)... Peter -- Peter Münster http://w3pm.stormloader.com/
WuFTPD has more security holes then a .... well actually it's in my top 10 for "most insecure software ever written and maintained". There are _several_ root hacks for it in this year alone. I wouldn't use WuFTPD if someone had a gun to my head.
Ok, I used it only because of Thomas' letter in june (http://lists.suse.com/archives/suse-security/2000-Jun/0167.html)...
That was before the whole format string thing, I;m not sure they checked for format strings back then, doubt it. -Kurt
Well if I remeber well there was also a security advisory recently about proftp and how remote users could gain root priviledges. I think so far the only one that hasn't had any has been the one from Openbsd it comes with suse. try it out.
On Sat, 7 Oct 2000, semat wrote:
Well if I remeber well there was also a security advisory recently about proftp and how remote users could gain root priviledges. I think so far the only one that hasn't had any has been the one from Openbsd it comes with suse. try it out.
There was a security advisory about just about every ftp daemon, with all this format string s*** going around. The latest release of proftpd is supposed to be safe, and it's pretty good. Anyone using wuftpd after about 9 straight years of continual holes is probably suicidal (that brings to mind, is it still DeadRat's default ftp package? You do the math ;-)) If you need fast and safe (anonymous) ftp though, look af ncftpd (www.ncftp.com). Unfortunately not open source, but the best ftp daemon I know. If you're an educational site you can get it free, if you only need 3 concurrent users it's free as well. greetz Stefan
========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (++31) 50 363 3423 fax: (++31) 50 363 7272 E-mail (business): s.m.suurmeijer@rc.rug.nl E-mail (private): stefan@symbolica.nl ========================================== Quidquid id est, timeo Microsoftum et dona ferentis (Whatever it is, I fear Microsoft, even when they are bringing gifts) Who is General Failure, and why is he reading my harddisk?
There was a security advisory about just about every ftp daemon, with all this format string s*** going around. The latest release of proftpd is supposed to be safe, and it's pretty good. Anyone using wuftpd after about 9 straight years of continual holes is probably suicidal (that brings to mind, is it still DeadRat's default ftp package? You do the math ;-))
If you need fast and safe (anonymous) ftp though, look af ncftpd (www.ncftp.com). Unfortunately not open source, but the best ftp daemon I know. If you're an educational site you can get it free, if you only need 3 concurrent users it's free as well.
Actually you can get a source license for NcFTPD, but it's not cheap, and it seems to me that I shouldn't have to pay a vendor for the "privilege" of auditing their source code so that I know it is safe to use. Also ProFTPD has a number of security features (DenyFilter for example) that make it much much harder for an attacker to get in (for example I block the % char on all my ftp servers, a lot of the remote exploits need to be able to pass that to work). NcFTPD is however pretty damn fast, but proftpd is used on sourceforge and some other pretty major sites (ftp.turbolinux.com for example) and in general has no problem keeping up with load.
greetz
Stefan
-Kurt
On Sat, 7 Oct 2000, Stefan Suurmeijer wrote:
9 straight years of continual holes is probably suicidal (that brings to mind, is it still DeadRat's default ftp package? You do the math ;-))
No, of course it's the latest version from suse-update... However, thank you all, for the hints to better ftp-daemons! But there is still the same question: what could be the sense in doing a ftp-connection very 5 minutes and also ICMP echo requests (pings). There is no more process listening on port 21 (no more ftp in inetd.conf) but there are still the same attempts: from 211.56.234.227 to 129.20.79.55 IP Packet precedence: Routine (---) ID: 0x3F8E FLAGS: DF -- Time to live (secs): 106 Protocol (6): TCP Packet ID (from_IP.port-to_IP.port): 211.56.234.227.4283-129.20.79.55.21 E..,?.@.j.B..8....O7....J.5.....`. .XU...... from 129.20.79.55 to 211.56.234.227 IP Packet precedence: Routine (---) ID: 0xC53A FLAGS: -- -- Time to live (secs): 255 Protocol (6): TCP Packet ID (from_IP.port-to_IP.port): 129.20.79.55.21-211.56.234.227.4283 E..(.:....h-..O7.8..........J.5.P....... [...] ICMP message id: 211.56.234.227 > 129.20.79.55 ICMP type: Echo ICMP message id: 129.20.79.55 > 211.56.234.227 ICMP type: Echo reply (the output comes from sniffit -a -l 0 -b -t "@" -P IP,TCP,ICMP,UDP||grep -C 211.56.234.227) But perhaps there is just _no_ sense, only a mistake by the user of 211.56.234.227 ... Peter -- Peter Münster http://w3pm.stormloader.com/
Hi Peter, On Sat, 7 Oct 2000, Peter Münster wrote:
However, thank you all, for the hints to better ftp-daemons!
But there is still the same question: what could be the sense in doing a ftp-connection very 5 minutes and also ICMP echo requests (pings). There is no more process listening on port 21 (no more ftp in inetd.conf) but there are still the same attempts:
Hmmm, if you don't suppress version information on your ftp server, some script kiddie may have seen that you are using a vulnerable ftp server, and may now be trying to break in with different exploit scipts. There isn't much I can tell you about the pings. He may just be probing to see if your server is up, since his connects to your ftp server are suddenly failing. But it could be something else altogether. Stefan
-----Ursprüngliche Nachricht----- Von: Stefan Suurmeijer [mailto:stefan@symbolica.nl]
Hi Peter,
Hmmm, if you don't suppress version information on your ftp server, some script kiddie may have seen that you are using a vulnerable ftp server, and may now be trying to break in with different exploit scipts. There isn't much I can tell you about the pings. He may just be probing to see if your server is up, since his connects to your ftp server are suddenly failing. But it could be something else altogether.
Hello list, IMHO this is something being done very often recently. I have the same entries in my logs since about 4 weeks. As our server is serving 50 IPs at the moment, I therefoe have 50 entries. Seems as if someone or some ppl scan the net IP after IP for vulnerable ftp-servers. As these scans origin from around the whole world it seems as if these ppl are faking their destination-IPs. As wuftpd (which I run at the moment)is known as vulnerable I consider changing to proftpd. Is it totally different from wuftpd in configuration and usage ? Is it really more secure than wuftd ? Is it possible with proftpd to have secure anonymous ftp, chroot for users, and so on ? TIA --- Stephan
However, thank you all, for the hints to better ftp-daemons!
But there is still the same question: what could be the sense in doing a ftp-connection very 5 minutes and also ICMP echo requests (pings). There is no more process listening on port 21 (no more ftp in inetd.conf) but there are still the same attempts:
Hmmm, if you don't suppress version information on your ftp server, some script kiddie may have seen that you are using a vulnerable ftp server, and may now be trying to break in with different exploit scipts. There isn't much I can tell you about the pings. He may just be probing to see if your server is up, since his connects to your ftp server are suddenly failing. But it could be something else altogether.
That is so utterly stupid. Most script kiddie attacks I have seen don't even bother to be subtle at all, they just use the shotgun approach, taking an exploit and pointing it at machines until they get in. Hiding version info is pretty damn useless.
Stefan
Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
That is so utterly stupid. Most script kiddie attacks I have seen don't even bother to be subtle at all, they just use the shotgun approach, taking an exploit and pointing it at machines until they get in. Hiding version info is pretty damn useless. Kurt Seifried - seifried@securityportal.com
I agree. Security by obscurity doesn't help - in the contrary: It shows
the attacker the level of experience to some degree. You should easily be
able to recognize an MTA just by its reaction to some teasing and bugging.
The other way around is very funny, though. (do as if you have a
vulnerable version and watch the h@x0r5 wasting their time...)
Roman.
--
- -
| Roman Drahtmüller
On Sun, 8 Oct 2000, Roman Drahtmueller wrote:
That is so utterly stupid. Most script kiddie attacks I have seen don't even bother to be subtle at all, they just use the shotgun approach, taking an exploit and pointing it at machines until they get in. Hiding version info is pretty damn useless. Kurt Seifried - seifried@securityportal.com
Wow, ease off the trigger please. I guess that's what I get for not formulating clearly. What I meant to say was since the "attack" in question lasted over more than a day, maybe some script kiddie had detected a vulnerable ftp daemon and was trying to break in, and that he might have gotten that information by simply connecting or scanning unless the server information was suppressed, in which case I don't think most script kiddies would know with which ftp daemon they were dealing. I never meant to say that suppressing server information would safeguard you or even be useful. I agree with you that most script kiddies just randomly attack, but when someone repeatedly tries to get in over a period of time, then they might be looking for something specific. Switch to decaf please ;-)
I agree. Security by obscurity doesn't help - in the contrary: It shows the attacker the level of experience to some degree. You should easily be able to recognize an MTA just by its reaction to some teasing and bugging.
You are right. Although I don't think most script kiddies are knowledgeable enough to do that.
The other way around is very funny, though. (do as if you have a vulnerable version and watch the h@x0r5 wasting their time...)
*grin* I think I'll try that sometime.
Roman. --
Stefan
Hi2all What is amazing is that many times when people dont understand the point of an attack the first reaction is: bah ... it's just a nonsense script kiddie attack. Put your self in the skin of a real nasty, well social skilled black hat hacker, whats the first thing he want you to know? that he is what he is or that he is just a kid clicking?
The other way around is very funny, though. (do as if you have a vulnerable version and watch the h@x0r5 wasting their time...)
Is that your idea of a sandbox? you will see that both of you are just wasting time. "Stereotyping Can Be Dangerous" (Tangled Web, Chapter 2 - Inside the mind of the cybercriminal) [ ]'s bacano
On Sun, Oct 08, 2000 at 14:42 +0100, bacano wrote:
The other way around is very funny, though. (do as if you have a vulnerable version and watch the h@x0r5 wasting their time...)
Is that your idea of a sandbox? you will see that both of you are just wasting time.
It's called a honeypot and usually does just what the name suggests: to direct the attackers away from what you want to protect and to recognize their methods to further improve your protection. There are uses for these, but one has to be able to afford such luxury. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi2all
What is amazing is that many times when people dont understand the point of an attack the first reaction is: bah ... it's just a nonsense script kiddie attack. Put your self in the skin of a real nasty, well social skilled black hat hacker, whats the first thing he want you to know? that he is what he is or that he is just a kid clicking?
The other way around is very funny, though. (do as if you have a vulnerable version and watch the h@x0r5 wasting their time...)
Is that your idea of a sandbox? you will see that both of you are just wasting time.
Modifying the version number has nothing to do with sandboxing. Sandboxing is the practice of running the software in a "seperate" space to prevent it from doing bad things (such as chrooting it so that it cannot read /etc/passwd as easily). What it can be good for though is wasting the attackers time and energy. If the attacker does bother to check the version and see's that it is an old version (say sendmail 8.8.5) they will then launch a variety of older attacks against it, which will fail since you're running Sendmail 8.11.1 or whatever. They will then (hopefully) get bored and leave you alone. I'm 99% sure a LOT of people use automated scripts/etc just to generate "noise" to waste admins time, so that the real attacks slip through, I've actually got an article half done on this topic (and what you can do about it).
"Stereotyping Can Be Dangerous" (Tangled Web, Chapter 2 - Inside the mind of the cybercriminal)
[ ]'s bacano
Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
Well if I remeber well there was also a security advisory recently about proftp and how remote users could gain root priviledges. I think so far the only one that hasn't had any has been the one from Openbsd it comes with suse. try it out.
Proftpd 1.2.0pre9, 10 had root hacks, rc1 has a dos (not so bad, but
annoying, blockable though with "denyfilter "%"" if I remember rtight), rc2
is ok. OpenBSD's ftpd had a root hack due to a format string attack:
===========
http://www.openbsd.org/errata.html
019: SECURITY FIX: July 5, 2000
Just like pretty much all the other unix ftp daemons on the planet, ftpd had
a remote root hole in it. Luckily, ftpd was not enabled by default. The
problem exists if anonymous ftp is enabled.
===========
Basically all ftp daemons had a root hack due to the format strings problem.
WuFTPD also has a TERRIBLE code base (like Bind for example), Proftpd is a
LOT cleaner, and has a way easier/more powerful config, for example:
within my anonymous directive:
participants (8)
-
bacano
-
Gerhard Sittig
-
Kurt Seifried
-
OKDesign oHG Security Webmaster
-
Peter Münster
-
Roman Drahtmueller
-
semat
-
Stefan Suurmeijer