Re: List /home directory without logging in?
From: Gerard Wassink (DontWant_at_SP_aM.nl)
Date: Tue, 6 Jul 2004 14:07:47 +0200
On 5 Jul 2004 13:35:41 -0700, Alan Baker scribbled:
> email@example.com (Alan Baker) wrote in message news:<firstname.lastname@example.org>...
>> Someone recently tried to log into all the userids on my Linux box.
>> First they connected several times via http, telnet, ftp, pop3, and
>> imap but were unsuccessful in logging in. Then they tried every
>> userid twice in alphabetical order via SSH. Also unsuccessfully.
>> (Use those strong passwords, friends!)
>> They didn't actually use the names in /etc/passwd, but instead tried
>> all directory names under /home (including non-users like lost+found).
>> This makes me wonder if the preliminary probes revealed /home's
>> directory list.
>> How could someone list /home without logging in? Is there a known
>> vuln I'm missing?
> Thanks for your ideas, Jem, Steve, and Bit Twister.
> This is a server so the http, telnet, ftp, pop3, imap, and ssh ports
> are open through the firewall.
> Good idea about a vulnerable web CGI script that reveals /home. I'm
> running mailman (pop-mail reader written in Perl) and cgipasswd
> (password-changer written in PHP). They have no documented
> vulnerabilities I can find. Further suggestions?
Forgive me for asking the obvious "is-it-plugged-in" like question:
Would you be servicing anonymous ftp?
And if so, what's the chmod value of your /home directory, and is it
perhaps reachable by anonymous clients?
-- GerardLinux ay tee filternet dee oo tee ann el | \ / .---. '-. | | .-' ___| |___ -= [ ] =- `---. .---' __||__ | | __||__ '-..-' | | '-..-' || | | || ||_.-| |-,_|| .-"` `"`'` `"-. .' '. Jesus is alive, I spoke with Him this morning!