Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)

[tep () SDSC EDU (Tom Perrine)]

> > > > > On Sat, 1 Jul 2000 02:43:43 -0400, Gregory A Lundberg <lundberg () WU-FTPD ORG> said:

Various snippage's below...

    Gregory> At this point the following facts exist:

    Gregory>  - I, personally, have seen NO scanning for FTP services on my networks.
    Gregory>    While this is admitedly anecdotal evidence, the last exploit against
    Gregory>    WU-FTPD, which _did_ work and _was_ in widespread use, was acompanied by
    Gregory>    a marked increase in such scans on the networks I manage.  I have talked
    Gregory>    with several other network operators and most report no increase in
    Gregory>    scanning; one did report he is seeing some FTP probes on his campus.
    Gregory>    The probes and scans I am seeing are consistent with the most-recent
    Gregory>    CERT Current Activity report (
    Gregory>    http://www.cert.org/current/current_activity.html ).

We (SDSC.EDU) have seen significant jumps in probes for FTP only.  The
first ramp up was probably at least 4 weeks ago.  There was a much
larger jump just before and since the BUGTRAQ notes.  This is
consistent with what we hear from University folks at several campuses
we work with.  I'll let them break their own stealth if they desire.

In general, our entire class B or large portions of it are being
scanned at least once a day, and sometimes 2 or 3 times per day,
mostly for FTP only.

    Gregory> The following FALSE facts have been circulated, sometimes by vendor
    Gregory> security teams who should know better than to make such statements without
    Gregory> better evidence:

    Gregory>  - "The exploit is in wide use."  At this point, the WU-FTPD Development
    Gregory>    Group has seen no evidence the exploit works or is being used at all.
    Gregory>    Our position, however, is that the exploit ought to work since the bug
    Gregory>    is real.  So, while this is currently a false statement it could become
    Gregory>    true at some point.

Since we run a very small number of WU-FTP hosts, which were not
vulnerable for various reasons, we can't tell of the actual exploit is
in wide use.  But folks sure are scanning like they have something.
At this point, it almost looks like this has become the scan du jure.

    Gregory> CERT/FIRST teams and those with evidence of a wide-spread attack may
    Gregory> contact me directly; additional contact phone numbers appear at the end of
    Gregory> the WU-FTPD FAQ ( http://www.wu-ftpd.org/wu-ftpd-faq.html ).  If I miss
    Gregory> your call (which can happen occassionally) leave a message; I will return
    Gregory> calls to CERT/FIRST teams.

Since you posted publically, I thought a public response was
appropriate.

--tep