Koozali.org: home of the SME Server

Hacker in my e-smith FTP-server?

Lars Thorelius

Hacker in my e-smith FTP-server?
« on: January 26, 2001, 08:37:01 PM »
Hi!

I have just been tipped by my son (who studies networking) that someone in his class has "seen" my e-smith through FTP as Root with full priviliges! This worries me, of course, and the culprit won´t say how, of course. I have my e-smith 4.01 set up as a public FTP-server, but with no external Telnet rights.

I searched the net for some clues to this, and found the following article:

**********************************************************************************************
Security experts warn of major FTP server flaw
14:55 Monday 26 June 2000
By BARRY PARK
INTERNET security experts have warned of a serious flaw in FTP server software that can allow hackers to take control of the server.
Connectiva Linux Security issued an advisory today warning wu-ftpd users of a buffer overflow that can be remotely exploited, giving hackers root privileges on the system.

The problem affects all wu-ftpd package versions up to and including version 2.6.0, the advisory says.

The company has provided a patch at www.conectiva.com.br.
***********************************************************************************************

Is this something that applies to the e-smith server? Should I switch of the FTP rights (I really have a lot of use for it)?

I would appreciate an initiated answer.

Regards
Lars

Charlie Brady

Re: Hacker in my e-smith FTP-server?
« Reply #1 on: January 26, 2001, 08:48:25 PM »
Lars Thorelius wrote:

> I have just been tipped by my son (who studies networking)
> that someone in his class has "seen" my e-smith through FTP
> as Root with full priviliges! This worries me, of course, and
> the culprit won´t say how, of course. I have my e-smith 4.01
> set up as a public FTP-server, but with no external Telnet
> rights.

We take security very seriously at e-smith. If anyone every has any security concerns they should immediately send details to security@e-smith.com - and if you don't remember that, to bugs@e-smith.com.

Do *NOT* post security concerns in a public forum.

> I searched the net for some clues to this, and found the
> following article:
...
****************************
> Security experts warn of major FTP server flaw
> 14:55 Monday 26 June 2000
> By BARRY PARK
> INTERNET security experts have warned of a serious flaw in
> FTP server software that can allow hackers to take control of
> the server.

Please see the first news article on http://www.e-smith.com to see why this does not apply to you or your server.

Regards

Charlie

> Connectiva Linux Security issued an advisory today warning
> wu-ftpd users of a buffer overflow that can be remotely
> exploited, giving hackers root privileges on the system.
>
> The problem affects all wu-ftpd package versions up to and
> including version 2.6.0, the advisory says.
>
> The company has provided a patch at www.conectiva.com.br.
> ***********************************************************************************************
>
> Is this something that applies to the e-smith server? Should
> I switch of the FTP rights (I really have a lot of use for it)?
>
> I would appreciate an initiated answer.
>
> Regards
> Lars

Lars Thorelius

Re: Hacker in my e-smith FTP-server?
« Reply #2 on: January 26, 2001, 09:01:05 PM »
I am very sorry if I have broken some Forum rule by posting the previous message.

I will try to get details on the "attack" and mail them to the address you gave.

Regards
Lars

Charlie Brady

Re: Hacker in my e-smith FTP-server?
« Reply #3 on: January 26, 2001, 09:27:41 PM »
Lars Thorelius wrote:
 
> I am very sorry if I have broken some Forum rule by posting
> the previous message.

It's not a Forum rule, it is standard security practice (see, for example http://www.apache.org/security_report.html). It is also common sense - would you run along your street yelling "My front door lock no longer works!"?

We are not aware of any security vulnerabilities in proftpd as configured on your server. However, if you believe that your server has been compromised, you should follow CERT advised recovery procedures (http://www.cert.org/nav/recovering.html), and report any finding to security@e-smith.com. Your report will be treated in confidence, and will be given high priority attention.

Thanks for your co-operation

Charlie

Marshall Keith

Re: Hacker in my e-smith FTP-server?
« Reply #4 on: February 07, 2001, 06:53:34 AM »
You didn't look too well. . .Esmith uses pro FTPD not wu. . .
So the flaw does not apply to esmith