From: Robert S. Thau (rst@ai.mit.edu)
Date: Tue May 30 2000 - 19:02:21 PDT
John Klassa writes:
> By the way, this is fairly urgent. I just got mail that they were
> broken into again, today. They think someone has compromised ftp
> in some way, because changing the passwords seemed to help until
> some files were ftped to the system... Shortly thereafter, they
> were broken-into again.
Hmmm... this is starting to sound vaguely reminiscent of the
apache.org breakin; they had an anonymous ftp server which allowed
uploads to certain directories, which were also read by a web server
which would run scripts from the same directories. The crackers
uploaded a script (I forget what language; it wasn't raw CGI, but php
or mod_perl .pl would both let them in) which gave them a shell.
(Which is, of course, a special case of the general rule that files
uploaded via anonymous ftp should not be made available to other
clients through any means without manual intervention; anything else
is an invitation to war3z k1dd13z).
Of course, this may not be the problem at all; if they're running
Linux, they should check the vendor's errata for updates concerning
the ftp server.
rst
This archive was generated by hypermail 2b29 : Tue May 30 2000 - 19:05:11 PDT