Subject: Re: rumors about remote *BSD exploits
To: None <>
From: Justin Lundy <>
List: tech-security
Date: 06/21/2002 05:06:55
On Mon, Jun 17, 2002 at 05:38:12PM +0200, Lubomir Sedlacik wrote:
> we encountered strange dirs on ftp few days ago:
> /home/ftp/ /TAggEd/       ;;;   /for/   ;;;;;  /       ;;;       
> as far as we can tell, nothing else was changed in the system and ftp
> was running in chroot().
> does anyone else have similar experience or anyone has more information
> on what's going on?  anyone seen something like this on NetBSD or
> FreeBSD?

When you see these types of directories appear on misconfigured ftp or
http servers it is possibly the result of automated scanners used by
warez distribution groups. Apparently, these groups scan through socks 5
proxies looking for "pubs" where they can distribute music, video, or 
software files. They operate this way for two primary reasons: a) to 
avoid high bandwidth costs associated with distributing large amounts
of software, and b) to avoid busts for violating the DMCA and other 
related andi-piracy laws. Their software automatically performs several
benchmarks to determine whether or not the victim will make a fast and
high-capacity hub for their activities. 

Usually, disallowing write access will prevent these types of people from
returning. I unknowingly had one of my machines tagged in this same way
off a 1.1Mbit SDSL line in San Jose, CA. They had transferred roughly 16GB
of warez and used about 6GB of disk space on the machine before I noticed
the abnormal activity in my MRTG network utilization statistics. I had made
the mistake of enabling anonymous FTP on a freshly installed FreeBSD machine
and had forgotten that a writable /incoming directory was allowed by default.
I would only be worried if they continue to hammer your network after you 
have fixed your ACLs.         

--jbl [ subterrain / tegatai ]
--email :