Anonymous FTP Abuses
1. DESCRIPTION
This document provides a general overview of problems associated with
abuses of anonymous FTP (File Transfer Protocol) areas. It includes
information that will help you respond to and recover from such activity.
This document addresses two issues relating to anonymous FTP abuse (details
are in Section 3):
- Software piracy (the distribution of stolen software, copyrighted
or proprietary materials, or similar information) (Sec. 3.1)
- Misconfigured/compromised FTP server (Sec. 3.2)
Anonymous archives may be provided in a number of ways, most commonly
through anonymous FTP (although similar services can be provided via other
protocols such as FSP and NFS). Some sites configure their anonymous
FTP servers to allow writable areas (for example, to make available
incoming or "drop-off" directories for files being sent to the site). If
these files can be *read* by anonymous FTP users, then the potential for
abuse exists.
Abusers often gather and distribute lists describing the locations of
vulnerable sites and the information these sites contain. The lists
commonly include the names of writable directories and the locations of
pirated software; they may also include password files and/or other
sensitive information.
Unfortunately, there have been many cases in which system administrators
are unaware that this abuse is taking place on their archive. They may be
unfamiliar with this type of abuse (and so haven't taken steps to prevent
it), or they may think that they have configured the archive to prevent
abuse when, in fact, they have not. System administrators at the sites
being used to place/pick up items from the drop-off area may also not be
aware that their users are participating in this activity.
Finally, an anonymous archive server actually may be misconfigured or
compromised. This misconfiguration/compromise could, in addition to the
abuses mentioned above, provide someone with the ability to run processes
under the UID of the FTP daemon.
2. TECHNICAL ISSUES
2.1. A file can be placed in the writable area of the anonymous FTP server.
If this area is also readable, anyone who can connect to the
anonymous FTP server can obtain a copy of the file.
2.2. Specifically, abusers do the following:
- Store and retrieve information. This information is often placed in
unusual or hidden files (e.g., files that start with a period or
space and normally not shown by "ls") that may be placed in hidden
directories, possibly nested within several layers and not readily
apparent.
- Gather information about the availability of sites where the
anonymous FTP areas are abused, then compile a comprehensive listing
(known as "warez" lists) of the locations. The lists typically
include the names of writable directories and the locations of
pirated software; they may also include entries for accounts and
passwords.
Please note that these lists may nor may not be out of date; there
is no way to tell if the information is accurate without checking
each site.
- Disseminate information about the location of such materials via
email, Internet Relay Chat (IRC), posting to newsgroups or
bulletin-board services, or other means.
- Use this information for personal, commercial or political gain, or
carry out attacks against other individuals or organizations.
- Abuse a vulnerable archive site for a short span of time and then
move on to other sites.
- Leverage this access and/or exploit system configuration weaknesses
to gain other privileged access.
2.3. Some sites have reported many hundreds of connections in a very short
span of time that have been identified as "puts" and "gets", e.g., to
store and retrieve pirated software, on their anonymous archive server.
This may cause a denial of service, crash the system, or consume disk
space on the system.
2.4. FSP is an anonymous archiving service that is similar to FTP. It is a
UDP-based service that often uses the privileged UDP port 21.
However, we have seen cases where users or intruders have established
their own FSP service on a non-privileged UDP port. Although FSP in
itself is not a problem, it has the same potential for abuse as FTP.
3. WHAT YOU CAN DO
3.1. Software piracy
3.1.1. Detection
3.1.1.1. Develop in-house tools to parse the logs generated
from accesses to your server for puts/gets (e.g.,
"STOR" and "RETR" sessions). Review this information
for unusual or unexpected activity.
3.1.1.2. Regularly review the contents of your archive's
incoming or "drop-off" area to identify abuse, then
follow-up in accordance with relevant policies and
procedures in your organization.
3.1.1.3. Check for hidden directories (directories with spaces,
special or control characters, etc.).
3.1.1.4. If you do not intend to offer an FSP service,
examine your systems for UDP services available on
port 21.
NOTE: If a user offers an unauthorized FTP or FSP
service on an unprivileged port, it may be difficult
to detect the service without a port scan.
3.1.2. Reaction
3.1.2.1. If you believe that your anonymous archive is being
used for distributing pirated software, we encourage
you to review the directories/files created as a result
of this abuse in accordance with policies and
procedures that may be in place within your
organization.
3.1.2.2. If you discover that your anonymous archive has been
misused and you find any lists containing references to
other sites, we encourage you to do the following;
- Determine where the unauthorized access(es)
originated (because these sites may themselves be
compromised).
- Review the contents of any files or directories (in
accordance with policies and procedures) for
references to other sites or account/password
combinations.
- Notify any sites you identified, alerting them to the
activity and asking them to check for potential
misuse or compromise.
To find site contact information, please refer to
ftp://info.cert.org/pub/whois_how_to
Feel free to include a copy of this document in
your message to the sites, especially those sites
that include a password file or host/account/password
combination. These sites will want to check for
further compromise.
3.1.3. Prevention
3.1.3.1. Review the CERT "tech tip" on anonymous FTP
to ensure your FTP server has been configured
correctly.
This tech tip provides suggestions for configuring an
anonymous FTP area. The document is available from
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config
3.1.3.2. Regularly review the contents of your anonymous archive
to identify abuses and follow up as outlined above.
3.1.3.3. Use tools (such as Tripwire) to check file and
directory integrity. You can get Tripwire and other
tools from
ftp://info.cert.org/pub/tools/
3.2. Compromised FTP server
3.2.1. Detection
3.2.1.1. Develop in-house tools to parse your FTP logins for
puts/gets (e.g., "STOR" and "RETR" sessions). Review
this information for unusual or unexpected activity.
3.2.1.2. Review the contents of your FTP directories on a
regular basis for inappropriate files. Check also for
hidden directories (directories with spaces or
special/control characters).
3.2.1.3. Ensure there has been no unauthorized modification to
ANY existing files (or addition of new files) on
your archive (including the ftp daemon).
3.2.1.4. Ensure there has been no addition of files with a
security impact (such as ~ftp/.rhosts).
We have had reports where abusers have replaced an
original file with a Trojan horse version of a file (or
daemon).
There are tools available (e.g., Tripwire) that can
help you check file integrity (see Sections 3.1.3.3 and
4.2).
3.2.2. Reaction
3.2.2.1. Follow any policies and procedures that you (or your
site or organization) may have in place.
3.2.2.2. We encourage you to check for signs of compromise using
our "CERT Generic Security Information" available from
ftp://info.cert.org/pub/tech_tips/security_info
We encourage you to consult past CERT advisories, CERT
summaries, and vendor bulletins, and apply what is
relevant to your particular configuration. We also urge
you to obtain and install all applicable patches or
workarounds described in advisories and bulletins on
widely used services such as rdist, tftp, ftpd,
anonymous FTP, NFS, and sendmail.
Past CERT advisories, CERT summaries, and vendor
bulletins are available from
ftp://info.cert.org/pub/cert_advisories
ftp://info.cert.org/pub/cert_summaries
ftp://info.cert.org/pub/cert_bulletins
3.2.2.2. Review the CERT "tech tip" on anonymous FTP. This tech
tip provides suggestions for configuring an anonymous
FTP area, and the information will help to minimize
undesirable activity on the FTP server. The file is
available from
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config
3.2.2.3. If you discover that your FTP area has been misused
and you find lists containing references to other
sites, we encourage you to take these steps:
- Complete and return the CERT/CC Incident Reporting
Form, available from
ftp://info.cert.org/pub/incident_reporting_form
This completed form will help us better assist you.
- Determine where the unauthorized access(es)
originated.
- Review the contents of files or directories for
references to other sites or account/password
combinations.
- Notify any identified sites, alerting them to
the activity and asking them to check for potential
misuse.
To find site contact information, please refer to
ftp://info.cert.org/pub/whois_how_to
Feel free to include a copy of this document in
your message to the sites, especially those that
include a password files or host/account/password
combination. They will want to check for further
compromise.
3.2.3. Prevention
3.2.3.1. Ensure that your FTP area is correctly configured to
prevent misuse in this manner.
3.2.3.2. Regularly review the configuration and contents of your
FTP area to identify abuses and follow-up as outlined
above.
4. ADDITIONAL SECURITY MEASURES THAT YOU CAN TAKE
4.1. If you have questions concerning legal issues, we encourage you to work
with your legal counsel.
U.S. sites who are interested in an investigation of this activity can
contact the FBI:
FBI National Computer Crimes Squad
Washington, DC
+1 202 324-9164
Non-U.S. sites may want to discuss the activity with their local law
enforcement agency to determine the appropriate steps relating to
pursuing an investigation.
4.2. For general security information, please see
ftp://info.cert.org/pub/
4.3. To report an incident, please complete and return
ftp://info.cert.org/pub/incident_reporting_form
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
The CERT Coordination Center is sponsored
by the Defense Advanced Research Projects Agency (DARPA).
The Software Engineering Institute is sponsored by the U.S. Department of Defense.