Bugtraq mailing list archives
Re: Possible WU-ftpd Worm ?
From: gbnewby () ILS UNC EDU (Gregory Newby)
Date: Wed, 14 Apr 1999 14:04:11 -0400
On Wed, 14 Apr 1999, Stu Alchor wrote:
I'm a system administrator of a educational domain which deals with ... But what took my attention is that he had a script called ftp-w0rm.tgz which was able to look for ftpd bug around the world, exploit it and reproduce the script like the worm. We found out that once the worm gets in a new host, it will install a backdoor (bindcode) in the port 31337 and starts the new scan. By taking a look at the time stamp, the intruder is running this toy since march.
I sent a message related to this two weeks ago which Aleph (evidently) chose not to post. The message and associated programs/documents is at http://blue.ils.unc.edu/Apr1/hack/ (blue-bugtraq.txt is the post). This program, like ADMwuftpd.c, exploits WRITE-able directories on your Linux FTP server. It then uses a hole in wu-ftpd (found in all versions, including the VR patches) to get a root shell. The program you included, Stu, seems to combine the scanning for a writable directory with the exploit. ADMwuftpd.c, which was posted to Bugtraq around the end of March, needs to be told where to run the exploit. Other programs (a few are available) actually look for writable directories. The hole is a buffer overflow for very long directory names.
From there, everything's easy... the program
which started out as a remote FTP connection ends up as a root shell to the remote machine. You don't even get logged, because it's not an actual login. But the intruder could, of course, set up a username or do anything else s/he chooses. You mentioned that a backdoor was installed...sure, that's viable. Once you get that root shell, anything is fair game. The solution is simply to not have any world writeable directories under your anonymous FTP tree. This is good policy anyway, regardless of this particular exploit, because a world writeable directory is just an invitation for your site to be turned into a warez distribution point. -- Greg // Gregory B. Newby, Assistant Professor in the School of Information // and Library Science, University of North Carolina at Chapel Hill // CB# 3360 Manning Hall, Chapel Hill, NC, 27599-3360 E: gbnewby () ils unc edu // V: 919-962-8064 F: 919-962-8071 W: http://www.ils.unc.edu/~gbnewby/
Current thread:
- Serious security holes in web anonimyzing services, (continued)
- Serious security holes in web anonimyzing services Patrick Oonk (Apr 13)
- Re: Serious security holes in web anonimyzing services Jeremey Barrett (Apr 13)
- Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 13)
- Re: ARP problem in Windows9X/NT route () RESENTMENT INFONEXUS COM (Apr 13)
- Re: ARP problem in Windows9X/NT Alan DeKok (Apr 13)
- Re: ARP problem in Windows9X/NT Joseph Gooch (Apr 14)
- Re: ARP problem in Windows9X/NT gandalf () POBOX COM (Apr 15)
- Possible WU-ftpd Worm ? Stu Alchor (Apr 13)
- Re: Possible WU-ftpd Worm ? Gregory A Lundberg (Apr 14)
- Re: Possible WU-ftpd Worm ? Gregory Newby (Apr 14)
- Re: Possible WU-ftpd Worm ? M.Brands (Apr 14)
- Real Media Server stores passwords in plain text Francisco M. Marzoa Alonso (Apr 14)
- Announce: Secure UNIX Programming FAQ Thamer Al-Herbish (Apr 13)
- Bugs in anonymity services Avi Rubin (Apr 13)