[KLUG Members] Re: Wu-ftpd problems
Jamie McCarthy
members@kalamazoolinux.org
Wed, 26 Dec 2001 14:29:46 -0500
b.j.smith@ieee.org (Bryan-TheBS-Smith) writes:
> > I installed wu-ftpd-2.6.1-16.i386.rpm
>
> First rule of thumb: If you want to get hacked, run WU-FTPD.
>
> Second rule of thumb: The FTP protocol sucks.
>
> Third rule of thumb: Various protocols can easily replace FTP
> today.
Yes, yes, and yes (except for the word "easily" which isn't always
true especially if clients are less than net-savvy). wu-ftpd is
probably the single easiest way to get your machine 0wned.
It looks like 2.6.1-16 isn't even free of _known_ vulnerabilities --
what I'm seeing is that its build date is March 29th. About a month
ago, a remote root hole was found. This means that, by now, savvy
intruders have found a way to take over your machine from a remote
location if you're running a version of wu-ftpd prior to its latest
update. You want wu-ftpd-2.6.1-0.6x.21 which is the latest,
known-holes-patched version.
Here are the CERT advisory and Red Hat's advisory:
http://www.cert.org/advisories/CA-2001-33.html
http://www.redhat.com/support/errata/RHSA-2001-157.html
So if this machine you've installed wu-ftpd on is actually running
it, if it's connected to the internet without a firewall blocking
incoming FTP connections, and if it's been this way for, say, a
week, I'd give even money that this machine is not yours anymore;
it probably already belongs to an attacker.
I see your original email was sent Dec. 16 (your Date line was off
so my email client misfiled it), so I hope the above conditions are
not true. If they are, your machine may belong to someone else now
until you kick them off (which means a complete system reinstall,
first step is to disconnect the machine from the internet). Email
the list if you have questions about intruder cleanup...
--
Jamie McCarthy
jamie@mccarthy.vg