HPE Community
Operating System - HP-UX
1823165 Members
3566 Online
109647 Solutions
New Discussion юеВ

anonymous ftp/pub cracked on HP-UX

 
SOLVED
Go to solution
lastgreatone
Regular Advisor

тАО01-21-2003 06:22 AM

тАО01-21-2003 06:22 AM

anonymous ftp/pub cracked on HP-UX

This is a k420 11/32.
Do I only need to configure the /etc/ftpd/ftphosts and /etc/ftpd/access to deny NinjaTune from dumping some rather offending files in the anonymous pub sub-directory. I'm still puzzled as to how it was able to run commands in the pub sub-dir which is not world writable. Any ideas?
0 Kudos
Reply
8 REPLIES 8
Shannon Petry
Honored Contributor

тАО01-21-2003 06:54 AM

тАО01-21-2003 06:54 AM

Re: anonymous ftp/pub cracked on HP-UX

Not sure what ninja tune is, but it sounds like you have more than just an issue with /etc/ftpd/ftphosts.

First, if you have annonymous AND standard FTP enabled you will have much more difficulty in determining the problem.

I have public and secure servers and never both on the same machine.

Next, if there is a particular host dumping stuff into a directory, then it's a better bet to dis-allow the connection at inetd instead of ftpd.
vi /var/adm/inetd.sec
ftpd deny somehost someotherhost etc...

man inetd.sec for more information.

Lastly, if this is a hack/tool that allows a shell to your system, you need to get up to date on patches. If you are completely up to date with patches concerning wu-ftpd or fort-knox (depending on your HP-UX version) then contact HP Support and get bugs submitted. Disable the FTP server until a bug fix is available to protect yourself.

If you give a more technical description of the issues, it's easier for us to assist you!

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО01-21-2003 07:10 AM

тАО01-21-2003 07:10 AM

Re: anonymous ftp/pub cracked on HP-UX

First off, there are security issues with ftpd on HP-UX, if you're not patched. So make sure you're patched.

Anonymous access (especially access that allows writes) can cause misery.

Check file/directory perms first. The world bit doesn't necessarily control access in anonymous - check the group to which the user ftp belongs. If any dirs have write access for ftp or ftp's group, then folks will be able to create files and directories when they log in anonymously.

ftpaccess (man ftpaccess) allows some fairly fine grained access control. See
http://www.wu-ftpd.org
for examples on ftpaccess,ftphost configs and directives.

Unix perms are the rule. There are directives to complement and further restrict Unix perms based on class (e.g. chmod, umask, delete, overwrite, rename, dirs, nodirs).

0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО01-21-2003 07:14 AM

тАО01-21-2003 07:14 AM

Re: anonymous ftp/pub cracked on HP-UX

BTW, correct setup for anonymous is given in the man page for ftpd (search for anonymous).
0 Kudos
Reply
lastgreatone
Regular Advisor

тАО01-21-2003 07:31 AM

тАО01-21-2003 07:31 AM

Re: anonymous ftp/pub cracked on HP-UX

Yes regular ftp and anonymous ftp have to be enabled on this system (at managers' insistance). But I did disable incoming about 1 year ago for fear of being cracked. And yet the /pub directory for anonymous uploads was the victim!

The /home/ftp is root owned (755). /home/ftp/pub is root:www (755). I did check the documentation of setting permissions for anonymous ftp sub-dirs and all checks out ok. Since I no longer have an incoming sub-dir for anonymous ftp, should I remove all entries in the /home/ftp/etc/passwd except for root?


0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО01-21-2003 07:41 AM

тАО01-21-2003 07:41 AM

Re: anonymous ftp/pub cracked on HP-UX

Im not sure if you understand the complete logic behind the /home/ftpd/etc/passwd.

This file simply gives name identity to files instead of UID and GID numbers. Even then this may not be true if you chroot your anonymous ftp ID which you should be doing.

wu_ftpd will auth off your normal passwd file. I'd really suggest that you do a bit of homework and get this right. Mixing anon and real FTP is a huge problem, in that it is terribly difficult to see where your oversights/fixes need to be.

I have a guide I wrote a long time ago on some of the chroot and necessities of setting up anonymous ftp. I'll try to convert it to html and post it if you have need.

Really though, get up to date on all patches as soon as possible. To avoid further hacks/hacking disable ftp until all possible security patches are installed.

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Steven E. Protter
Exalted Contributor

тАО01-21-2003 07:56 AM

тАО01-21-2003 07:56 AM

Re: anonymous ftp/pub cracked on HP-UX

I would put ftp users in a chroot jail.

This is possible with changes to the files above. I was lazy and used the Bastille tool to do it for me.

To things to check here.

security_patch_check
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6834AA&date=

This guy connects to HP analyzes your machine and lets you know how many patches you need to be current.

Bastille
https://payment.ecommerce.hp.com/cgi-bin/swdepot_parser.cgi/cgi/try.pl?productNumber=B6849AA&date=

They will tone up all your security indluding ftp.

P
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Chris Wong
Trusted Contributor

тАО01-21-2003 08:16 AM

тАО01-21-2003 08:16 AM

Solution

Re: anonymous ftp/pub cracked on HP-UX

Hi,

I have 3 articles regarding HP-UX FTP. One is on using anon FTP and creating a restricted FTP user:

http://newfdawg.com/SHP-Articles.htm

As others have mentioned, just one little misconfiguration or a missing patch and access is opened.
- Chris
Reply
lastgreatone
Regular Advisor

тАО01-21-2003 08:40 AM

тАО01-21-2003 08:40 AM

Re: anonymous ftp/pub cracked on HP-UX

Thanks to all for your replies. I did check for the latest ftp patch and PHNE_23949 is installed. I did somewhat understand the purpose of /home/ftp/etc/passwd but I will certainly refresh my memory with the links you have provided.

As for using the 'guy' I believe I need HP Software support for that useage and, someone here decided when contract renewal came-up that wasn't really required.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.