Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!ukma!rutgers!bellcore!ka9q.bellcore.com!karn From: karn@ka9q.bellcore.com (Phil Karn) Newsgroups: news.sysadmin Subject: Re: UK press reports of Internet worm Message-ID: <11878@bellcore.bellcore.com> Date: 19 Nov 88 18:03:56 GMT References: <799@mailrus.cc.umich.edu> Sender: news@bellcore.bellcore.com Reply-To: karn@ka9q.bellcore.com.UUCP (Phil Karn) Organization: Home for Burned-out Hackers Lines: 31 I've discovered another potential security hole in Berkeley FTP that may be widespread. If you run a UUCP gateway (or even if you don't), read on. In all but apparently the most recent version of the BSD UNIX ftp daemon, any user giving a valid ID and password is allowed to use FTP. The only exceptions are IDs with null passwords (you can log in via telnet, but not FTP) and IDs listed in the file /etc/ftpusers. (The file is misnamed, since it contains a list of accounts that are to be DENIED FTP access.) It appears that many sites do not list their alternate UUCP ids in this file. The most common example is "nuucp". Try ftping to your own site and logging in with your system's various uucp IDs and passwords. If it works, you are basically giving read access to most of your files to the whole world, since uucp passwords are usually not very secret. To see if you've been hit, run "who /usr/adm/wtmp" and grep for lines of the form nuucp ftp17452Nov 3 03:10 (oliver.bloomcounty.org) It appears that the latest version of FTPD works differently. It looks at the shell entry for the ID in question and lets the user in only if that shell is on a list of "approved" shells. This is clearly the better way to go, but this is apparently a very new feature and is not yet widespread. (It also accounts for the reason you see "getusershell" come up undefined when you try to install Berkeley's new ftpd that fixes the anonymous ftp hole.) Perhaps Berkeley should post the sources to getusershell() and related routines. Phil