From: "Dennis" <dennis (at mark) mixfans.org>
> Hi Steffan
>
> No in my situation the user probably first found a ftp account of a user
> which was having a bad password
> than he uploaded the .pl file which is a CGI-TELNET script
> through this script he was able to put a aha.c file (bind.tty) and bind in
> the same folder and together with cgi.php which was a php shell script
> he was able to put the prctl suidseif ecsploit from Julien Tinnes in the
> crontab
> and that was causing a malcious crontab error as the command
> /dev/shm/nice2k not seemed to work
>
What tends to happen is that your users create an email account like user
sam password sam. Then brute force guessing type srcipts find it and use it
to upload scripts to the user directory.
Maybe Michael Staubers password checking code could be added to the BQ GUI.
What we do is set up the proftpd.conf to not allow FTP for users that are
not siteadmins.
After the end of the global I add </Global>
<Limit LOGIN>
DenyAll
AllowGroup site-adm
AllowUser admin
AllowUser some-other-user-if-you-want
</Limit>
----
Ken Marcus
Precision Web Hosting, Inc.
http://www.precisionweb.net