[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ftpd vulnerability

Title: ftpd vulnerability
Released by: CERT
Date: 1st December 1988
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





 CA-88.01

      

                        CERT Advisory

                        December 1988

                        ftpd vulnerability

                

Last revised: September 16, 1997

              Attached copyright statement



                                        

- -----------------------------------------------------------------------------



   ** The sendmail portion of this advisory is superseded by CA-95:05. **



There have been several problems or attacks which have occurred in the

past few weeks.  In order to help secure your systems we have gathered

the following suggestions:



        1) Check that you are using version 5.59 of sendmail with the

           debug option DISABLED.  To verify the version try the following

           commands.  Use the telnet program to connect to your mail server.

           Telnet to your hostname or localhost with 25 following the host.

           The sendmail program will print a banner which will have the

           version number in it.  You need to be running version 5.59.

           Version 5.61 will be released on Monday 12/12/1988.  Any

           version less than 5.59 is a security problem.



           The following is a sample of the telnet command.



% telnet localhost 25

Trying...

Connected to localhost.SEI.CMU.EDU.

220 ed.sei.cmu.edu Sendmail 5.59 ready at Wed, 7 Dec 88 15:45:55 EST

Quit

221 ed.sei.cmu.edu closing connection

Connection closed by foreign host.

%



        2) Verify with your systems support staff that the ftpd program

           patches have been installed.  Removing anonymous ftp is now

           known to NOT plug all security holes.  If you are not sure,

           ftp to ucbarpa.berkeley.edu, login as anonymous password ftp

           and get ftpd.shar.  This file contains the sources to the

           latest BSD release of the ftpd program.



        3) Check your /etc/passwd file for bogus entries.  Look for

           unauthorized accounts with the uid field set to zero (only

           the root account should have uid=0).  Remove any unauthorized

           entries.  The following is an example of what you might find.



                install::0:1::/:



           To check your /etc/passwd files for spurious accounts with uid 0,

           you can use the following awk program:



% awk -F: '$3 == 0 {print $0}' /etc/passwd



           If you are running YP on your machine, do:



% ypcat passwd | awk [...as above]







        4) Look for modified /bin/login and /usr/ucb/telnet files.

           Several sites have found these programs with new "backdoors"

           added.  Use the strings program to search /bin/login for the

           strings OURPW, knaobj, and knaboj.  If in doubt, reload the

           /bin/login and /usr/ucb/telnet executables from your

           distribution tape.



% strings  /bin/login | egrep '(OURPW|knaboj|knaobj)'





        5) Educate your users to create hard to guess passwords.  Account

           codes, first or last names, and common words are not very

           secure passwords.  A few examples of common words are words

           that refer to your town, location, or company and words that

           are found in /usr/dict/words.  Be especially careful of accounts

           where the password is the account name (easy to check, easy to

           guess.



        6) In general, before you allow a user access to the Internet,

           you must be sure you know who they are.  In other words, all

           users should be forced through a login/password sequence

           (no unpassworded accounts and preferably someplace which logs

           connections) before you let them get outside your local network.

           Be especially careful with TCP/IP terminal servers.



        7) check the last logs for normal logins as accounts which normally

           run utility programs (sync, who, etc), watch for unreasonable

           times..  watch for ftp's with funny logins (who, etc).

- ---------------------------------------------------------------------------



Computer Emergency Response Team (CERT)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Internet: cert@cert.org

Telephone: 412-268-7090 24-hour hotline: CERT personnel answer

           7:30a.m.-6:00p.m. EST, on call for

           emergencies other hours.



Past advisories and other information are available for anonymous ftp

from cert.org (192.88.209.5).





Copyright 1988 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://info.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Revision History



September 16, 1997  Attached copyright statement



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS8Rlr9kb5qlZHQEQLT3wCcDVue0O1BL7T3wxCaA2a1fHRMaPkAoIhD

voqkLqmvHbcs6Co5gmOWphiW

=4DQ8

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.