*BSD News Article 98861

Return to BSD News archive 

#! rnews 2041 bsd
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.Hawaii.Edu!news.caldera.com!enews.sgi.com!nntprelay.mathworks.com!news.mathworks.com!newsfeed.direct.ca!news.uoregon.edu!la-news1.digilink.net!bob
From: "Henry Stapp" <hstapp@redchannel.com>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Hacking into FreeBSD possible via FTPD?
Date: 2 Jul 1997 21:49:10 GMT
Organization: Red Channel Interactive
Lines: 44
Message-ID: <01bc8731$c41837c0$530b93cd@think.redchannel.com>
NNTP-Posting-Host: think.redchannel.com
X-Newsreader: Microsoft Internet News 4.70.1155
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:43832

Hi All,

I've noticed some weird FTPD logs on our server and was wondering if FTPD
(Version 6.00) has a weakness that I don't know about... Here's some
examples of the log entries:

Jun 13 13:53:15 www ftpd[7392]: connection from bitgate.bitburn.org
Jun 13 13:53:30 www ftpd[7392]: ANONYMOUS FTP LOGIN FROM
bitgate.bitburn.org, ANARCHIE/
nobrand@bitburn.org
Jun 13 13:58:30
1997!ANARCHIE/nobrand@bitburn.org!bitgate.bitburn.org!/pub/.phractal//p
ub/.phractal/phractal.nfo!1525!866210310
Jun 13 13:58:30 www ftpd[7392]: get /pub/.phractal/phractal.nfo = 1525
bytes

Jun 17 14:42:16 www ftpd[28482]: connection from 170-133-141.ipt.aol.com
Jun 17 14:42:18 www ftpd[28482]: ANONYMOUS FTP LOGIN FROM
170-133-141.ipt.aol.com, IE30
User@
Jun 17 14:42:24
1997!IE30User@!170-133-141.ipt.aol.com!///etc/passwd!1499!866558544
Jun 17 14:42:24 www ftpd[28482]: get /etc/passwd = 1499 bytes

Jun 18 21:36:39 www ftpd[16197]: ANONYMOUS FTP LOGIN FROM
p235.asheboro.com, eaker@mail
.asheboro.com
Jun 18 21:37:09
1997!eaker@mail.asheboro.com!p235.asheboro.com!/etc//etc/group!552!8666
95029
Jun 18 21:37:09 www ftpd[16197]: get /etc/group = 552 bytes

The file phractal.nfo contained a message saying "Sorry 'bout that damn
warez all over your site".

What's with the wierd log file lines with all the exclamation points...
anyone have a clue?

Thanks,

Henry Stapp
Red Channel Interactive