LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 09-22-2002, 05:17 PM   #1
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Rep: Reputation: 30
Guy got root directory access from my FTP server... how can I fix this?


Some guy, made a file or something called "\" in my ftp share folder. It appears to be a folder, so when I type:

root@Wolf88: cd \

I get this


root@Wolf88:
>_


I dont know what this is.. but I cant forsee it as being good since it allows virutally anyone with ftp access to control and or use my system. Also, when I connect via an FTP client, and enter the "\" folder, it redirects me to my root directory. I need to know what I can do to prevent this.. is it safe to delete this from the ftp share folder. What can I do, and what I can I do to prevent this from happening?
 
Old 09-22-2002, 05:30 PM   #2
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Original Poster
Rep: Reputation: 30
Now, the folder "\" is missing when I log onto the server via FTP client from windows, but when I do an ls of the "Storage" directort on my nix box, its still there.
 
Old 09-22-2002, 06:19 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
First of all, don't fuss about. The basics are:
- log details
- prevent networked access
- establish system integrity

Log:
netstat -anp >> /tmp/log
w(who|whoson) >> /tmp/log
ps au >> /tmp/log
lsof >> /tmp/log
lsmod >> /tmp/log
Now you've got the basic stuff (if unmodified binaries): connected IP addresses, who is logged on, running processes (not if hidden), running processes + open files, sockets etc, loaded modules (not if hidden). The rest you can scrape off of snort, your firewall and your ftp servers logs (if any).

Disconnect:
Now disconnect your box from the network.

Integrity:
Always state as much in detail as you possibly can. W/o we can't help. Period. This means distro, version, daemon version, any config weirdness, log excerpts, etc.
Now you will have to establish the integrity of your system, this means checking configs, logs and binaries.
If you didn't install and used a system integrity checking app like Aide, Tripwire, Samhain or equiv, then since your system doesn't provide package verification basically you're fscked.
Another chance would be to scan with Chkrootkit(.org) for known rootkits, but this can't flag "new" stuff, nor can it verify the integrity of your binaries.
Post any errors you get or "weird" files you find.

IMO you should wait worrying about deleting stuff till after you made pretty damn sure your system is clean, and till then you should not connect your system to any network. Look for basic steps at Steps for Recovering from a UNIX or NT System Compromise.

Now give us some details that will help us help you add a proper solution for your problems.
 
Old 09-23-2002, 02:03 AM   #4
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Original Poster
Rep: Reputation: 30
I ran chkrootkit... and it turned neg accross the board. I think that they hadnt doen anything ... yet... but, they did make it so that an anymous user could optain access to the root directory. I fixed this partially by double checking the proftpd.conf file and making it so that anonymous users couldnt right anytning. I dont know what to do from this point on though... should I change all my passwords. Can I delete the "\" file/directory outta my ftp "Storage" folder?
 
Old 09-23-2002, 02:26 AM   #5
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
you can delete the file like this
rm -rf "\"
or in querky way
rm -rf \\
 
Old 09-23-2002, 02:27 AM   #6
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
Sorry,
rm -rf '\'
or
rm -rf \\
 
Old 09-23-2002, 12:08 PM   #7
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
A little update, now when my head is clear from yesterdays chaos, if you still can ignore my previous two post, please do so, I obviously wasn't thinking when I hit "Submit" button. Follow unSpawn suggestions, and also look up some case studies, I found one on linuxsecurity. The steps described in the article can be used as a guide on how to proceed, and recover from an attack. Don't concider a single firewall as all means to harden your box security, also I found a good article on how to setup an adaptive firewall to block persistent snoopers http://linuxgazette.com/issue82/veerapen.html http://www.linuxsecurity.com/feature...sis-part1.html
http://www.linuxsecurity.com/feature...sis-part2.html

Last edited by neo77777; 09-23-2002 at 02:46 PM.
 
Old 09-23-2002, 02:39 PM   #8
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Original Poster
Rep: Reputation: 30
when I try and remove the \ file/directory thingy... Ive tried:

rm -rf '\'
rm -rf \\
even rm -rf "\"

but nothing seems to work... all it seems to do it bring this up:

>_

I hit cntrl+c and type ls... and the stupid \ is still there. WTF?!?
 
Old 09-23-2002, 07:52 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
"When a man points at the moon, the fool looks at his finger."
 
Old 09-23-2002, 08:49 PM   #10
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
Quote:
Originally posted by unSpawn
"When a man points at the moon, the fool looks at his finger."
Amen to that quote.
 
Old 09-25-2002, 02:50 PM   #11
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Original Poster
Rep: Reputation: 30
ohhhh thats real helpful guys!
 
Old 09-25-2002, 04:16 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Innit? You've shown clearly you don't have any interest in securing your box, but find "thinking" it's safe is enough.
The 'net is for all of us, by all of us, so if you willfully allow your box to get broken into making it the weakest link, it will affect other boxen if they manage to use yours as another jump. This attitude is one that gets systems broken into.
Credit gone, game over.

But, since you don't care about that and I have to end this thread in a constructive way, try
rm -rf "\\/"

Last edited by unSpawn; 09-25-2002 at 04:19 PM.
 
Old 09-25-2002, 09:05 PM   #13
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Original Poster
Rep: Reputation: 30
Ok... I tired as well... I cant get that stupid thing to go away. Id really like to know. And dude... I know a lot... but compared to all that is available to know... its a tiny portion. I started using Linux extensivly like 6 months ago, you cant expect someone and or everyone to go leet in that amount of time. Im in it to learn... and then help others do the same.

Last edited by bripage; 09-25-2002 at 09:07 PM.
 
Old 10-01-2002, 10:40 PM   #14
dewcansam
Member
 
Registered: Nov 2001
Location: Hi Hat KY USA
Distribution: RedHat, Mandrake
Posts: 63

Rep: Reputation: 15
Not trying to knock anyone. But I understand what unSpawn and trickykid are saying. I also understand what you are going through. That said - insted of freaking out and going "Oh my god, Oh my god, Oh my god".

The first thing you need to do (even if you are a newbie you can do this) is unplug the network cable. Second if you can't follow what unSpawn said in his first post, then wipe the drive clean and start over.

This time don't turn on FTP unless you HAVE to HAVE it. Even then TURN OFF ANONYMOUS ACCESS . Also you really should be using SSH if you can.

If you don't know how to turn on / off anonymous access then post that question later.

p.s. unSpawn those instuctions really helped me out. Thanx

Last edited by dewcansam; 10-01-2002 at 10:41 PM.
 
Old 10-01-2002, 11:07 PM   #15
bripage
Member
 
Registered: Jan 2002
Location: Moorpark
Distribution: SLACK 8!
Posts: 230

Original Poster
Rep: Reputation: 30
uhhh thanks... but that was the first thing I did... Im not a moron. And yeah I know how to turn it off... that was the second thing that I did. Any more nonhelping posts?!?

Last edited by trickykid; 10-02-2002 at 09:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i access the root directory? xstealthrtx Linux - Newbie 5 11-22-2004 04:42 AM
RW access to a directory via FTP using ProFTPD borbzz Linux - Software 4 05-11-2004 10:23 PM
FTP exclusive directory access allancondino Linux - General 3 05-02-2002 06:15 AM
How do I access my Root Directory chaswp54 Linux - Security 2 10-20-2001 03:05 PM
Root Directory Access chaswp54 Linux - General 1 10-19-2001 09:33 PM


All times are GMT -5. The time now is 12:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration