[KLUG Members] Re: Wu-ftpd problems

[Jamie McCarthy]

b.j.smith@ieee.org (Bryan-TheBS-Smith) writes:

> > I installed wu-ftpd-2.6.1-16.i386.rpm
>
> First rule of thumb:  If you want to get hacked, run WU-FTPD.
> 
> Second rule of thumb:  The FTP protocol sucks.
> 
> Third rule of thumb:  Various protocols can easily replace FTP
> today.

Yes, yes, and yes (except for the word "easily" which isn't always
true especially if clients are less than net-savvy).  wu-ftpd is
probably the single easiest way to get your machine 0wned.

It looks like 2.6.1-16 isn't even free of _known_ vulnerabilities --
what I'm seeing is that its build date is March 29th.  About a month
ago, a remote root hole was found.  This means that, by now, savvy
intruders have found a way to take over your machine from a remote
location if you're running a version of wu-ftpd prior to its latest
update.  You want wu-ftpd-2.6.1-0.6x.21 which is the latest,
known-holes-patched version.

Here are the CERT advisory and Red Hat's advisory:

http://www.cert.org/advisories/CA-2001-33.html
http://www.redhat.com/support/errata/RHSA-2001-157.html

So if this machine you've installed wu-ftpd on is actually running
it, if it's connected to the internet without a firewall blocking
incoming FTP connections, and if it's been this way for, say, a
week, I'd give even money that this machine is not yours anymore;
it probably already belongs to an attacker.

I see your original email was sent Dec. 16 (your Date line was off
so my email client misfiled it), so I hope the above conditions are
not true.  If they are, your machine may belong to someone else now
until you kick them off (which means a complete system reinstall,
first step is to disconnect the machine from the internet).  Email
the list if you have questions about intruder cleanup...
--
 Jamie McCarthy
 jamie@mccarthy.vg