ftp hacking

[Stephen Gregory]

[originally this was mail, but I think I will post it too.]

Most of these warez kiddies are probably using illegal copies of Win98.
I would hope that most of the teardrop and realated holes were patched.
Also I would suspect that some are useing fairly fast links and the
various flood denial of service attacks would not work. However many
kiddies are using 56k modems so if you have a fast enough link you can
flood them. Ofcourse for denial of service attacks I strongly recommend IP
spoofing. Most kiddies have the tools to attack you, but they don't have
the smarts to actually fight.

I would look at more creative deterrents. When they try an upload for
every packet they send throw a re-transmit at them. And instead of filling
the file with the sent packets take some bytes from /dev/random.

Also you might want to use some firewalling. Drop any packets sent to you
from a warez trader even if temporarily. This will confuse them. "This
site was here just a second ago."

I guess it all depends how much work you want to put into it.

(wow didn't know you had your own newsgroup. Ofcourse I can't post to it
as I have to use TIN. TIN won't let me post to groups it dosen't think
exist.)

--
Stephen Gregory

Eli the Bearded (*@qz.to) wrote:
: So I went away for a few days and when I came back I found that I had a
: small warez infestation problem on my webserver. The buggers must think
: I don't look at log files. (I am amused at how many people get my 330k
: collection of Received: headers, named "received1".)

: Anyway I am curious about the modus operandi of these people. They did
: the sophmoric trick of creating a directory named ".. " and the first
: thing they put in it was some some file called autoname.dat:

: $ od -xc autoname.dat
: 0000000 0001 ffff 0001 0009 4143 7475 4e6f 6d61
: 001 \0 377 377 001 \0 \t \0 C A u t o N a m
: 0000020 0165 0400 482e 4d54 2e05 5448 4c4d
: e 001 \0 004 . H T M 005 . H T M L
: 0000036

: This makes me suspect there is some program they use to find sites and
: deal with them. Does anyone know anything about this? One of the things
: they left there was something called "IPanzer". What is that? My hunch
: is it might be warezware of some sort.

: I removed the directory and as a tease replaced it with one owned by
: root, mode 711, named "..^H" (with ^H being the control character).

: Anyway this whole thing has made me decide I need to hack on ftp some.
: Today I changed wu-ftpd to issue LOG_CRIT messages when anonymous users
: attempt to issue MKD commands.

: I also rewrote winnuke to be a handy function and threw it in
: /usr/lib/libwinnuke.a for easy incorporation into various programs.
: Tomorrow I think that it is going to become part of myftp daemon. I
: am also contemplating creating ftp or ls hack to make directory seem
: to be world writable when it is not, to make sure people looking for
: places to put warez think they have found a spot.

: One thing I am curious about is: is winnuke still an effective threat?
: Are there other things I could add as good deterents when I can detect
: offensive actions by others?

: Elijah
: ------
: will likely put the patches on his ftp site when done