Bugtraq mailing list archives
Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)
From: tep () SDSC EDU (Tom Perrine)
Date: Sun, 2 Jul 2000 12:41:41 -0700
On Sat, 1 Jul 2000 02:43:43 -0400, Gregory A Lundberg <lundberg () WU-FTPD ORG> said:
Various snippage's below... Gregory> At this point the following facts exist: Gregory> - I, personally, have seen NO scanning for FTP services on my networks. Gregory> While this is admitedly anecdotal evidence, the last exploit against Gregory> WU-FTPD, which _did_ work and _was_ in widespread use, was acompanied by Gregory> a marked increase in such scans on the networks I manage. I have talked Gregory> with several other network operators and most report no increase in Gregory> scanning; one did report he is seeing some FTP probes on his campus. Gregory> The probes and scans I am seeing are consistent with the most-recent Gregory> CERT Current Activity report ( Gregory> http://www.cert.org/current/current_activity.html ). We (SDSC.EDU) have seen significant jumps in probes for FTP only. The first ramp up was probably at least 4 weeks ago. There was a much larger jump just before and since the BUGTRAQ notes. This is consistent with what we hear from University folks at several campuses we work with. I'll let them break their own stealth if they desire. In general, our entire class B or large portions of it are being scanned at least once a day, and sometimes 2 or 3 times per day, mostly for FTP only. Gregory> The following FALSE facts have been circulated, sometimes by vendor Gregory> security teams who should know better than to make such statements without Gregory> better evidence: Gregory> - "The exploit is in wide use." At this point, the WU-FTPD Development Gregory> Group has seen no evidence the exploit works or is being used at all. Gregory> Our position, however, is that the exploit ought to work since the bug Gregory> is real. So, while this is currently a false statement it could become Gregory> true at some point. Since we run a very small number of WU-FTP hosts, which were not vulnerable for various reasons, we can't tell of the actual exploit is in wide use. But folks sure are scanning like they have something. At this point, it almost looks like this has become the scan du jure. Gregory> CERT/FIRST teams and those with evidence of a wide-spread attack may Gregory> contact me directly; additional contact phone numbers appear at the end of Gregory> the WU-FTPD FAQ ( http://www.wu-ftpd.org/wu-ftpd-faq.html ). If I miss Gregory> your call (which can happen occassionally) leave a message; I will return Gregory> calls to CERT/FIRST teams. Since you posted publically, I thought a public response was appropriate. --tep
Current thread:
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Bernhard Rosenkraenzer (Jun 30)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jul 01)
- <Possible follow-ups>
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Gregory A Lundberg (Jun 30)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Tom Perrine (Jul 02)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) wayout (Jul 03)