OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cracked again (!%#$^$%^$%#$!)
From: aingramPOP.GALSTAR.COM
Date: Sat Nov 04 2000 - 05:59:51 CST


Have you tried publicfile at cr.yp.to/publicefile.html

the follow is a quote from that page

What is it?

publicfile supplies files to the public through HTTP and FTP.

Security features:

    Before accepting any commands, publicfile chroot()s to the public file area
and sheds root privileges.
    publicfile doesn't let users log in. Intruders can't use publicfile to check
your usernames and passwords.
    publicfile refuses to supply files that are unreadable to owner, unreadable
to group, or unreadable to world.
    publicfile never attempts to modify the public file area. It refuses all
HTTP and FTP modification commands.
    publicfile never runs any other programs. It does not support HTTP CGI or
FTP SITE EXEC.
    publicfile avoids bug-prone libraries such as stdio.
    The publicfile FTP server uses local ports above 1024 for PORT connections.
    The publicfile FTP server prohibits remote ports below 1024 for PORT.
    The publicfile FTP server prohibits PORT relaying.
    The publicfile FTP server includes automatic PASV IP protection.

HTTP features:

    publicfile supports virtual hosts through the Host field.
    publicfile supports virtual hosts through absolute URLs.
    publicfile supports HTTP/1.1 persistent connections.
    publicfile supports HTTP/1.1 chunked responses.
    publicfile supports user-controlled content types.
    publicfile supports exact-prefix If-Modified-Since.

FTP features:

    publicfile has built-in LIST and NLST commands. You don't have to bother
setting up bin/ls, shared libraries, et al.
    inside the public file area.
    publicfile provides EPLF LIST responses, including options "i", "s", and
"m".
    publicfile supports restarted transfers.
    publicfile supports pipelining.

Other HTTP servers and FTP servers

Apache is a big, powerful HTTP server, by far the most widely installed server
on the Internet. Unfortunately, the code
base has a history of security problems: Apache before version 1.1.3 allowed
remote users to take over the web server,
and Apache before version 1.2.5 (1998-01) allowed local users to take over the
web server. Are the authors confident
that no such problems will ever happen again?

Similar comments apply to wu-ftpd, the most widely installed FTP server on the
Internet. wu-ftpd has had several bugs
that allowed remote users to take over the entire machine: one fixed in version
2.0 (1993-04), one fixed in version 2.4
(1994-04), one fixed in version 2.4.2-beta18-VR10 (1998-11), one fixed in
version 2.6.0 (1999-10), and one fixed in
version 2.6.1 (2000-07).

ProFTPD has had several bugs that allowed remote users to take over the entire
machine: one fixed in version 1.2.0pre2
(1999-02), one fixed in version 1.2.0pre4 (1999-09), one fixed in version
1.2.0pre5 (1999-09), one fixed in version
1.2.0pre6 (1999-09), one fixed in version 1.2.0pre8 (1999-10), and one fixed in
version 1.2.0rc1 (2000-07). As of
2000-07, ProFTPD continues to be advertised as a ``secure'' FTP server.

Many versions of the BSD ftpd, including the HP-UX 10 ftpd and the ``audited''
OpenBSD 2.7 ftpd, have had a bug
allowing remote users to take over the entire machine.

Some versions of fhttpd allowed remote users to take over the entire machine.
``I don't think bugs of this kind are left in
it,'' the author says. How much is he willing to bet?

I found security holes in thttpd, fixed in version 2.05 (1999-11), allowing
remote users to take over the web server under
typical configurations. I've heard that there were also security holes fixed in
version 2.04 (1998-08); I don't know how
severe they were. As of 1999-11, thttpd continues to be advertised as a
``secure'' HTTP server. It ``goes to great lengths
to protect the web server machine against attacks and breakins from other
sites,'' the author says.

The situation isn't all bad. Marcus Ranum's aftpd, like publicfile, is designed
primarily for security. aftpd is a
stripped-down, anonymous-only version of the BSD FTP server. However, it still
uses an external /bin/ls.

I haven't heard about any security holes in mathopd. I would be interested in
hearing from the author whether anyone has
conducted security reviews of that code.

For more information on HTTP server security (and browser security), see Lincoln
D. Stein's WWW Security FAQ.

Hey, what about Windows?

Microsoft's web server for Windows, IIS, has had at least four different
security holes allowing remote users to take over
the machine. It has also had several security holes allowing remote users to
corrupt files or steal files. The BisonWare
FTP server for Windows, the Cat Soft Serv-U FTP server for Windows, the Caltech
ExpressFS FTP server for Windows,
the Omnicron OmniHTTPD HTTP server for Windows, and the WFTPD FTP server for
Windows have each had security
holes allowing remote users to take over the machine.

art

another Linux user

> I think your best bet is to go with PROftp and remove wu altogether, i've
> had nothing but trouble with wu, pro seems to work securely and effiently
>
> On Tue, 31 Oct 2000, Faber Fedor wrote:
>
> > Okay, after the first time I was cracked, I removed anon-ftp. Seems that
> > didn't help because the second crack was done via wu-ftp, he logged in as
> > anonymous, and did a buffer overflow.
> >
> > Now, I was under the impression that removing anon-ftp would remove
anonymous
> > ftping to my site. It obviously doesn't. Is there anyway to remove
anonymous
> > from my ftp site, or is it the fact that they did a buffer-overflow and the
> > username is irrelevant?
> >
> > BTW: I just upgraded to wu-ftp 2.6.1. Am I safe or do I need some other
method
> > to access my machine when I'm on the road that the vile little crackers
can't
> > get at? (I've also added anonymous to my list of /etc/ftpusers and
commented
> > out the ftp user in /etc/passwd.)
> >
> >
> >
> >
> >
> > =====
> > Sincerely,
> >
> > Faber Fedor
> > LinuxNJ.com - Linux and Open Source solutions for New Jersey
> >
> > http://www.linuxnj.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Messenger - Talk while you surf! It's FREE.
> > http://im.yahoo.com/
> >
>

---------------------------------------------
This message was sent using Galaxy's Mailman server.
http://www.galstar.com