Re: FTP Tagging anyone?

From: Alun Jones (alun@texis.com)
Date: 11/16/02 

From: alun@texis.com (Alun Jones)
Date: Sat, 16 Nov 2002 01:48:44 GMT

In article <uR8FIsQjCHA.2616@tkmsftngp10>, "Karl Levinson [x y] mvp"
<levinson_k@excite.com> wrote:
>Good point... I don't think the FTP permissions exploit alone is usually
>associated with trojans [since the hacker would need to also gain the
>ability to write or read files outside the FTP structure and/or the ability
>to execute code remotely], though if the server had this vulnerability, it
>probably had other more serious vulnerabilities.

Not necessarily. There are many systems that run with firewalls in place,
secured against various different kinds of vulnerabilities, and the one thing
they did wrong was think that they could allow anonymous FTP users to upload
and download. Time was, when people pretty much respected FTP servers, and
even when anonymous users were allowed to upload and download, they did so in
respect of the rules of the site they connected to.

These days, as you can see, there are any number of people whose desperate
search for the next piece of porn (presumably because they're either too
young, ugly, stupid or offensive to find a mate of their own), or stolen
movies (what, they really can't afford a movie ticket? a Blockbuster card? a
vaguely working TV that lets them watch the major networks, and a little
patience?) leads them to pervert other people's systems into their own little
plots of storage.

Each time I've observed this happen, the storage of extra files - in
directories that are designed to be difficult for the administrator to delete
- has been the only attack on the system.

>Formatting the computer is the safe way to go and the only way to be 100%
>sure that it's free of other back doors, though you can certainly choose not
>to format if security is not terribly important to you.

Uh, yeah, sure. For most people, formatting the computer is hardly a rational
response, given the amount of work it requires to get back to working status.
In general, it should be possible to be reasonably certain, by a little
analysis, and a little running of automated scanning tools, that your system
is not infected with anything else. Investing in a little IDS tool may help
to promote a sense of security. Yes, the only way to be absolutely certain is
to take the machine and push it into the harbour as you buy another one from
CompUSA. But this particular attack seems designed only to use your server as
external storage.

It's a pain in the ***, because it has me trying to think if there's a good
scheme whereby this sort of access can be easily prevented - unfortunately,
Microsoft have this problem where you can't actually tell if a file name
matches a device name, and where some tools will treat it as a file, and
others as a device. At least it's better than a couple of years ago, when any
access to device\device in a path would cause a complete system halt! With no
tools around that would tell you ahead of time whether a name matches a
device, there's no way for an application developer to head off this bug.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.