Re: is this an attack ?

To: debian-security@lists.debian.org
Subject: Re: is this an attack ?
From: Raymond Wood <raywood@magma.ca>
Date: Sat, 29 Mar 2003 10:18:17 -0500
Message-id: <[🔎] 20030329151817.GA26986@magma.ca>
In-reply-to: <[🔎] 20030329143539.GJ257@nova.vor.em.ca>
References: <[🔎] 1048945567.655.22.camel@oficina4> <[🔎] 20030329143539.GJ257@nova.vor.em.ca>

On Sat, Mar 29, 2003 at 02:35:39PM +0000, Tom Goulet (UID0) imagined:

> On Sat, Mar 29, 2003 at 10:46:02AM -0300, danilo lujambio wrote:
> > sorry by a large of the message , but I am not a security
> > expert and I have a ftp server secured with the directives
> > that I found in general docs. Yesterday my server was down
> > at 19:30 aprox , the only suspicious track that I found is : 
> > 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
> > Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> > Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com
> > Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> > Mar 28 18:59:07 web wu-ftpd[10527]: PASS ano@ano.com

> Apparently there is a cracking tool that uses this user and
> password for FTP servers.  If you were running a version of
> WU-FTPD with a known hole your computer was probably cracked.
> 
> I'm not sure what the best way to tell if your instance of
> WU-FTPD had a known vulnerability.  Maybe do "apt-get update
> && apt-get upgrade", and check to see if there is an update
> for the wu-ftpd package.
> 
> Even if it seems your WU-FTPD was not exploitable, I'd boot
> from Knoppix and snoop around for backdoors or rootkits.
> 
> It is a good idea to run as few internet-listening servers as
> possible.  A total of zero internet-listening servers is a
> good goal for a desktop machine.
> 
> And lastly, if you still need to run an FTP server, I
> recommend VSFTPD.
> -- 
> Tom Goulet				mail: uid0@em.ca

Further to what Tom has said:
o 'apt-get install chkrootkit' will install a utility that
  checks for the presence of (you guessed it) common rootkits.
  Just run 'chkrootkit' as root.
o If you have been cracked (and it looks likely) you will need
  to re-install Debian from scratch -- there is really no other
  reliable way to recover from this.
o About 'vsftpd': I agree, this is one of the best you can run,
  if you cannot make due with ssh/scp.

Cheers,
Raymond
-- 
o Kindly avoid sending proprietary Word or PowerPoint attachments.
  * See http://www.fsf.org/philosophy/no-word-attachments.html
o Plain text email please -- here's why: http://expita.com/nomime.html
o If possible, please send a URL instead of an attachment :-)

Attachment: pgpk4qevnYi64.pgp
Description: PGP signature

Reply to:

References:
- is this an attack ?
  - From: danilo lujambio <danilo@tau.org.ar>
- Re: is this an attack ?
  - From: "Tom Goulet (UID0)" <uid0@em.ca>

Prev by Date: Re: is this an attack ?
Next by Date: Re: is this an attack ?
Previous by thread: Re: is this an attack ?
Next by thread: Re: is this an attack ?
Index(es):
- Date
- Thread