[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] RAQ4r - dropdown attack detected with SafeTP? Possible OS Update 2.0 problem?

Subject: [cobalt-users] RAQ4r - dropdown attack detected with SafeTP? Possible OS Update 2.0 problem?
From: "Liam Delahunty" <mail@xxxxxxxxxxxxxxxxx>
Date: Sun Feb 3 07:00:01 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I have previously installed safetp, but adjusted it to allow insecure
connections for Mac users who can't install the local client on another
port - 351 I think.

After installing the latest patch, I got a message today from a user who
complained that he couldn't log in via ftp and got the following message, he
tried the standard port of 21. (He does have safetp on his machine and has
ftp'd okay before.)

"959 Dropdown attack detected. Please contact your system administrator.
(Are you connected to the SafeTP-enabled port? You may need to specify port
353)
Connection terminated."

So on the windows machine I tired securely on 353, and got a connection
refused message. Then tried on 21, got same message as user. Tried on 351
and got in.

I closed the ftp application (smartftp) and turned off safetp on the windows
machine.

Trying again on 21 and 353 and got connected via ftp no problem. So,
insecure works.  Bad!

The inetd.conf seems to have changed date so I assume something's changed
there but I can't see it for looking... - I'd re-enabled the SafeTP
commented out line previously. I assume that this is something to do with
the latest update, I'd be grateful for advice on what to do to re-secure the
server and allow unsecured connections on an alternative port for those Mac
users...

Here's the inetd.conf
<some comments snipped>
# These are standard services.
#
# (removed by SafeTP install 01/06/02 username) ftp   stream  tcp     nowait
root    /usr/sbin/tcpd  in.proftpd
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.proftpd
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
#login  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
#exec   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
#comsat dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#talk   dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
#ntalk  dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
#dtalk  stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd  in.qpopper -R
imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
#
# The Internet UUCP service.
#
#uucp   stream  tcp     nowait  uucp    /usr/sbin/tcpd
sr/lib/uucp/uucico    -l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp   dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
#bootps dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
#finger stream  tcp     nowait  root    /usr/sbin/tcpd  in.fingerd
#cfinger stream tcp     nowait  root    /usr/sbin/tcpd  in.cfingerd
#systat stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/ps -auwwx
#netstat        stream  tcp     nowait  guest   /usr/sbin/tcpd
in/netstat    -f inet
#
# Authentication
#
#auth   stream  tcp     nowait    nobody    /usr/sbin/in.identd
in.identd -l -e -o
#
# End of inetd.conf
#swat      stream  tcp     nowait.400      root /usr/sbin/swat swat
#gds_db  stream  tcp     nowait.30000      root
/usr/local/sbin/gds_inet_server gds_inet_server # InterBase Database Remote
Server
# Veritas NetBackup Configuration Start

# Veritas NetBackup Configuration End
#
# added by SafeTP install 01/06/02 username
#
raw-ftp stream  tcp     nowait  root    /usr/sbin/tcpd  in.proftpd
safetp  stream  tcp     nowait  safetp  /home/safetp/sftpd
sftpd -f351 -s -y/home/safetp -9

I'm obviously missing something here. Any help and advice gratefuly
received.

Kind regards,
Liam

Prev by Date: [cobalt-users] Raq4r - compromised?
Next by Date: Re: [cobalt-users] was - SU from user other ... - now SU won't work
Previous by thread: [cobalt-users] Raq4r - compromised?
Next by thread: [cobalt-users] RE: PROFTPD is reported by logcheck after OS2 update

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index