[10215] in bugtraq
Re: Possible WU-ftpd Worm ?
daemon@ATHENA.MIT.EDU (Gregory Newby)
Thu Apr 15 12:34:04 1999
Date: Wed, 14 Apr 1999 14:04:11 -0400
Reply-To: Gregory Newby <gbnewby@ILS.UNC.EDU>
From: Gregory Newby <gbnewby@ILS.UNC.EDU>
X-To: Stu Alchor <stu@UPD.CEFETSP.BR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990414021634.928A-100000@upd.cefetsp.br>
On Wed, 14 Apr 1999, Stu Alchor wrote:
> I'm a system administrator of a educational domain which deals with
> ...
> But what took my attention is that he had a script called ftp-w0rm.tgz
> which was able to look for ftpd bug around the world, exploit it and
> reproduce the script like the worm. We found out that once the worm gets
> in a new host, it will install a backdoor (bindcode) in the port 31337
> and starts the new scan. By taking a look at the time stamp, the intruder
> is running this toy since march.
I sent a message related to this two weeks ago which Aleph
(evidently) chose not to post. The message and associated
programs/documents is at http://blue.ils.unc.edu/Apr1/hack/
(blue-bugtraq.txt is the post).
This program, like ADMwuftpd.c, exploits
WRITE-able directories on your Linux FTP server.
It then uses a hole in wu-ftpd (found in all versions,
including the VR patches) to get a root shell.
The program you included, Stu, seems to combine the scanning
for a writable directory with the exploit. ADMwuftpd.c,
which was posted to Bugtraq around the end of March,
needs to be told where to run the exploit. Other
programs (a few are available) actually look for writable
directories.
The hole is a buffer overflow for very long directory
names.
From there, everything's easy... the program
which started out as a remote FTP connection ends up as
a root shell to the remote machine. You don't even
get logged, because it's not an actual login. But
the intruder could, of course, set up a username or
do anything else s/he chooses. You mentioned that
a backdoor was installed...sure, that's viable.
Once you get that root shell, anything is fair game.
The solution is simply to not have any world writeable
directories under your anonymous FTP tree. This is
good policy anyway, regardless of this particular exploit,
because a world writeable directory is just an invitation
for your site to be turned into a warez distribution point.
-- Greg
// Gregory B. Newby, Assistant Professor in the School of Information
// and Library Science, University of North Carolina at Chapel Hill
// CB# 3360 Manning Hall, Chapel Hill, NC, 27599-3360 E: gbnewby@ils.unc.edu
// V: 919-962-8064 F: 919-962-8071 W: http://www.ils.unc.edu/~gbnewby/