FTP buffer overrun

Christopher Twigg cdtwigg at u.washington.edu
Sun Aug 13 17:05:33 PDT 2000 

The point wasn't that he should assume nothing was wrong b/c there was a
log entry (if you read the message that should be clear) but that the log
entry isn't enough to prove that an exploit took place, and by extension,
the lack of such an entry would not be enough to show that no such
exploit took place.  The log entry shows that you were probed by some
script kiddie somewhere; a script kiddie who tried once is very likely to
try again using another exploit (maybe for a different program), and I
would look at all your other services as potential points of entry instead
of focusing solely on ftp.

I would also tend to suggest to sysadmins everywhere turning off all ftp
servers since they have traditionally been huge problem spots (wu_ftpd,
proftpd, etc.) and using scp to transfer your files.  If you need
anonymous ftp, however (a very legit use of the protocol) there are a
number of very secure anonymous-only ftp servers available that don't need
to run as root and so don't offer nearly the exploit opportunities of the
fully feature ftp daemons.  

Christopher Twigg
cdtwigg at u.washington.edu

On Sun, 13 Aug 2000, Cliff wrote:

> I would definitely be conservative in your assumptions.  The wu-ftpd exploit has been
> out for a while now and script kiddies can "hack" into systems pretty trivially from
> existing source code.  I wouldn't assume that they are intelligent enough to remove log
> file entries (or even know they exist?).  Rootkits for linux (I would guess) are almost
> as trivial to install as running the exploit itself...but Dave Dittrich knows more about
> that than I.  If you have a way to monitor your computer from an external traffic
> scanner, that would probably be the best way to see what is going on...
> 
> Cliff
> 
> 
> 
> Christopher Twigg wrote:
> 
> > If it actually logs it, that means the server is recording that as an
> > error which makes me suspect that particular log entry represents a
> > _failed_ attack (if he'd really managed to execute something as
> > root, why would that show up in the logfiles?).  Also, a really good
> > hacker wouldn't have left such a mess lying around in the logfiles after a
> > successful attack.  Doesn't mean anything for sure, though, since he might
> > be a dumb hacker and might have succeeded on a different attempt.
> >
> > Christopher Twigg
> > cdtwigg at u.washington.edu
> 
>

More information about the Linux mailing list