Yes i do, all attempts to get in to our systems allways use local access
to ssh
We prevent local access to ssh now, and we do not have any troubles
anymore with this.
Also make sure your awstats is up to date if you use it, versions before
6.4 (i believe) can be easely used to get into your system
Mevershosting.nl
-----Oorspronkelijk bericht-----
Van: Greg Boehnlein [mailto:damin (at mark) nacs.net]
Verzonden: donderdag 29 december 2005 17:42
Aan: coba-e (at mark) bluequartz.org
Onderwerp: [coba-e:03740] Re: ProFTP 1.2.9 Vunerability?
On Thu, 29 Dec 2005, Mevershosting.nl wrote:
> Make sure your ssh does not accept local connections, files uploaded
are
> allmost allways shell scripts which use ssh.
> Without ssh they cant do to much..
Are you suggesting disabling SSH access for localhost? Ala 127.0.0.1?
> Met vriendelijke groet,
>
> Mevershosting.nl
>
>
> -----Oorspronkelijk bericht-----
> Van: "Ing. Ernesto PñÓez Estñ×ez" [mailto:info (at mark) ecualinux.com]
> Verzonden: woensdag 28 december 2005 22:16
> Aan: coba-e (at mark) bluequartz.org
> Onderwerp: [coba-e:03738] Re: ProFTP 1.2.9 Vunerability?
>
>
>
> Hey, that's good.. I will try that one as well..
>
> thanks
> epe
> Ken Marcus - Precision Web Hosting wrote:
> > I've had servers in the past where my customers set up accounts like
> > user sam with password sam. Hackers use scripts to guess common
> > usernames with common passwords. Then they upload files to the
user's
> > directories. From there they try to hack your server with php or
perl
> > scripts.
> >
> > What I do is add the <Limit LOGIN> section to the /etc/proftpd.conf
> to
> > not allow logins from users that are not siteadmins.
> > If a non-siteadmin user actually needs FTP, then I will add them
> manually.
> >
> > So the global section of my profptd.conf looks something like:
> >
> > <Global>
> > TimesGMT off
> > DefaultChdir ../../web site-adm
> > <Limit SITE_CHMOD>
> > AllowAll
> > </Limit>
> > IdentLookups off
> > MaxClientsPerUser 5
> > DeferWelcome on
> > <Limit LOGIN>
> > DenyAll
> > AllowGroup site-adm
> > AllowUser admin
> > </Limit>
> > ServerIdent off
> > </Global>
> > UseReverseDNS off
> >
> >
> >
> > ----
> >
> > Ken Marcus
> > Precision Web Hosting
> > http://www.precisionweb.net
> >
> >
> >
> >
> >
> >
> >
> >
> > "Ernesto PñÓez Estñ×ez" wrote:
> >
> >> it happened to me, user (for example) mike was using the password
> >> mike, so the attacer easily entered to the system and uploaded the
> >> paypal fake site in /users/mike/web and then sent tons of mails
> >> redirecting to www.somesite.com/~mike/.paypal/login.html or things
> >> like that.
> >>
> >> In my case they never used that exploit, just used a weak password
> >> from a customer. In fact I disabled /~personal sites so the
customers
>
> >> now are not using personal sites, in fact nobody in my servers uses
> them.
> >>
> >> But anyway, it is a good idea to apply that patch, just in case!
> >>
> >> thanks
> >> epe
> >>
> >> Greg Boehnlein wrote:
> >>
> >>> We recently discovered a new Blue Quartz box (installed using
> >>> NuOnce.nets BQ 3.0 ISO image) that apparently was brute-force
> >>> attacked via ProFTPD, exploited and used in a PayPal phising scam.
> >>> Our forensic analysis led us to the following exploit:
> >>>
> >>> http://www.frsirt.com/exploits/10.13.proft_put_down.c.php
> >>>
> >>> The short and the sweet of this exploit is that it can result in a
> >>> root-compromise.
> >>>
> >>> I cannot confirm or deny that the latest BlueQuartz RPM of
> >>> proftpd-1.2.9-8BQ2 is vunerable, as I didn't have time to test it
> >>> yet. However, I can say that I have build new 1.2.10 RPMS and
> >>> installed them and will test against them. You can find the
updated
> >>> RPMS here:
> >>>
> >>> ftp://ftp.nacs.net/blue-quartz/proftpd-1.2.10-1BQ1.i386.rpm
> >>> ftp://ftp.nacs.net/blue-quartz/proftpd-1.2.10-1BQ1.src.rpm
> >>>
> >>> Please feel free to test them and verify that they are good. If
so,
> >>> please consider including them in the BlueQuartz release.
> >>>
> >>
> >>
> >>
> >
>
>
>
> -----
>
> Scanned for virus and spam
>
>
> -----
>
> Scanned for virus and spam
>
>
>
>
--
Vice President of N2Net, a New Age Consulting Service, Inc. Company
http://www.n2net.net Where everything clicks into place!
KP-216-121-ST
-----
Scanned for virus and spam
-----
Scanned for virus and spam