Anonymous FTP Abuses

---

1. DESCRIPTION

   This document provides a general overview of problems associated with
   abuses of anonymous FTP (File Transfer Protocol) areas. It includes
   information that will help you respond to and recover from such activity.

   This document addresses two issues relating to anonymous FTP abuse (details
   are in Section 3):

        - Software piracy (the distribution of stolen software, copyrighted
          or proprietary materials, or similar information) (Sec. 3.1)

        - Misconfigured/compromised FTP server (Sec. 3.2)
                
   Anonymous archives may be provided in a number of ways, most commonly
   through anonymous FTP (although similar services can be provided via other 
   protocols such as FSP and NFS). Some sites configure their anonymous
   FTP servers to allow writable areas (for example, to make available
   incoming or "drop-off" directories for files being sent to the site). If
   these files can be *read* by anonymous FTP users, then the potential for
   abuse exists.  

   Abusers often gather and distribute lists describing the locations of
   vulnerable sites and the information these sites contain. The lists
   commonly include the names of writable directories and the locations of
   pirated software; they may also include password files and/or other
   sensitive information. 

   Unfortunately, there have been many cases in which system administrators
   are unaware that this abuse is taking place on their archive. They may be
   unfamiliar with this type of abuse (and so haven't taken steps to prevent
   it), or they may think that they have configured the archive to prevent 
   abuse when, in fact, they have not. System administrators at the sites 
   being used to place/pick up items from the drop-off area may also not be
   aware that their users are participating in this activity. 

   Finally, an anonymous archive server actually may be misconfigured or
   compromised. This misconfiguration/compromise could, in addition to the
   abuses mentioned above, provide someone with the ability to run processes
   under the UID of the FTP daemon. 


2. TECHNICAL ISSUES

   2.1. A file can be placed in the writable area of the anonymous FTP server.
        If this area is also readable, anyone who can connect to the
        anonymous FTP server can obtain a copy of the file.

   2.2. Specifically, abusers do the following:

        - Store and retrieve information. This information is often placed in
          unusual or hidden files (e.g., files that start with a period or
          space and normally not shown by "ls") that may be placed in hidden
          directories, possibly nested within several layers and not readily
          apparent. 

        - Gather information about the availability of sites where the
          anonymous FTP areas are abused, then compile a comprehensive listing
          (known as "warez" lists) of the locations. The lists typically
          include the names of writable directories and the locations of
          pirated software; they may also include entries for accounts and
          passwords.  

          Please note that these lists may nor may not be out of date; there
          is no way to tell if the information is accurate without checking
          each site.  
        
        - Disseminate information about the location of such materials via
          email, Internet Relay Chat (IRC), posting to newsgroups or
          bulletin-board services, or other means.

        - Use this information for personal, commercial or political gain, or
          carry out attacks against other individuals or organizations.

        - Abuse a vulnerable archive site for a short span of time and then
          move on to other sites. 

        - Leverage this access and/or exploit system configuration weaknesses
          to gain other privileged access. 

   2.3. Some sites have reported many hundreds of connections in a very short
        span of time that have been identified as "puts" and "gets", e.g., to
        store and retrieve pirated software, on their anonymous archive server.
        This may cause a denial of service, crash the system, or consume disk
        space on the system.

   2.4. FSP is an anonymous archiving service that is similar to FTP. It is a
        UDP-based service that often uses the privileged UDP port 21.
        However, we have seen cases where users or intruders have established 
        their own FSP service on a non-privileged UDP port. Although FSP in
        itself is not a problem, it has the same potential for abuse as FTP.


3. WHAT YOU CAN DO 

   3.1. Software piracy

        3.1.1. Detection

               3.1.1.1. Develop in-house tools to parse the logs generated
                        from accesses to your server for puts/gets (e.g.,
                        "STOR" and "RETR" sessions). Review this information
                        for unusual or unexpected activity. 

               3.1.1.2. Regularly review the contents of your archive's
                        incoming or "drop-off" area to identify abuse, then
                        follow-up in accordance with relevant policies and
                        procedures in your organization.  

               3.1.1.3. Check for hidden directories (directories with spaces,
                        special or control characters, etc.).

               3.1.1.4. If you do not intend to offer an FSP service,
                        examine your systems for UDP services available on
                        port 21.

                        NOTE: If a user offers an unauthorized FTP or FSP
                        service on an unprivileged port, it may be difficult
                        to detect the service without a port scan.

        3.1.2. Reaction

               3.1.2.1. If you believe that your anonymous archive is being
                        used for distributing pirated software, we encourage
                        you to review the directories/files created as a result
                        of this abuse in accordance with policies and
                        procedures that may be in place within your
                        organization. 

               3.1.2.2. If you discover that your anonymous archive has been
                        misused and you find any lists containing references to
                        other sites, we encourage you to do the following;

                        - Determine where the unauthorized access(es)
                          originated (because these sites may themselves be 
                          compromised). 

                        - Review the contents of any files or directories (in 
                          accordance with policies and procedures) for
                          references to other sites or account/password
                          combinations.    

                        - Notify any sites you identified, alerting them to the
                          activity and asking them to check for potential
                          misuse or compromise.

                          To find site contact information, please refer to

                          ftp://info.cert.org/pub/whois_how_to

                          Feel free to include a copy of this document in
                          your message to the sites, especially those sites
                          that include a password file or host/account/password
                          combination. These sites will want to check for
                          further compromise.

       3.1.3. Prevention

               3.1.3.1. Review the CERT "tech tip" on anonymous FTP
                        to ensure your FTP server has been configured
                        correctly. 

                        This tech tip provides suggestions for configuring an
                        anonymous FTP area.  The document is available from

                        ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config

               3.1.3.2. Regularly review the contents of your anonymous archive
                        to identify abuses and follow up as outlined above. 

               3.1.3.3. Use tools (such as Tripwire) to check file and
                        directory integrity. You can get Tripwire and other
                        tools from

                        ftp://info.cert.org/pub/tools/

   3.2. Compromised FTP server

        3.2.1. Detection

               3.2.1.1. Develop in-house tools to parse your FTP logins for
                        puts/gets (e.g., "STOR" and "RETR" sessions).  Review
                        this information for unusual or unexpected activity.

               3.2.1.2. Review the contents of your FTP directories on a
                        regular basis for inappropriate files. Check also for
                        hidden directories (directories with spaces or
                        special/control characters). 

               3.2.1.3. Ensure there has been no unauthorized modification to
                        ANY existing files (or addition of new files) on
                        your archive (including the ftp daemon).

               3.2.1.4. Ensure there has been no addition of files with a
                        security impact (such as ~ftp/.rhosts).

                        We have had reports where abusers have replaced an
                        original file with a Trojan horse version of a file (or
                        daemon). 

                        There are tools available (e.g., Tripwire) that can
                        help you check file integrity (see Sections 3.1.3.3 and
                        4.2). 

        3.2.2. Reaction

               3.2.2.1. Follow any policies and procedures that you (or your
                        site or organization) may have in place.

               3.2.2.2. We encourage you to check for signs of compromise using
                        our "CERT Generic Security Information" available from

                        ftp://info.cert.org/pub/tech_tips/security_info

                        We encourage you to consult past CERT advisories, CERT
                        summaries, and vendor bulletins, and apply what is
                        relevant to your particular configuration. We also urge
                        you to obtain and install all applicable patches or
                        workarounds described in advisories and bulletins on
                        widely used services such as rdist, tftp, ftpd,
                        anonymous FTP, NFS, and sendmail.  

                        Past CERT advisories, CERT summaries, and vendor
                        bulletins are available from 

                        ftp://info.cert.org/pub/cert_advisories
                        ftp://info.cert.org/pub/cert_summaries
                        ftp://info.cert.org/pub/cert_bulletins


               3.2.2.2. Review the CERT "tech tip" on anonymous FTP. This tech
                        tip provides suggestions for configuring an anonymous
                        FTP area, and the information will help to minimize
                        undesirable activity on the FTP server. The file is
                        available from

                        ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config

               3.2.2.3. If you discover that your FTP area has been misused
                        and you find lists containing references to other
                        sites, we encourage you to take these steps:

                        - Complete and return the CERT/CC Incident Reporting
                          Form, available from

                          ftp://info.cert.org/pub/incident_reporting_form

                          This completed form will help us better assist you.

                        - Determine where the unauthorized access(es)
                          originated.

                        - Review the contents of files or directories for
                          references to other sites or account/password
                          combinations.

                        - Notify any identified sites, alerting them to
                          the activity and asking them to check for potential
                          misuse. 

                          To find site contact information, please refer to

                          ftp://info.cert.org/pub/whois_how_to

                          Feel free to include a copy of this document in
                          your message to the sites, especially those that
                          include a password files or host/account/password
                          combination. They will want to check for further
                          compromise.

        3.2.3. Prevention

               3.2.3.1. Ensure that your FTP area is correctly configured to
                        prevent misuse in this manner. 

               3.2.3.2. Regularly review the configuration and contents of your
                        FTP area to identify abuses and follow-up as outlined
                        above.  


4. ADDITIONAL SECURITY MEASURES THAT YOU CAN TAKE

   4.1. If you have questions concerning legal issues, we encourage you to work
        with your legal counsel.  

        U.S. sites who are interested in an investigation of this activity can
        contact the FBI:

            FBI National Computer Crimes Squad 
            Washington, DC
            +1 202 324-9164

        Non-U.S. sites may want to discuss the activity with their local law
        enforcement agency to determine the appropriate steps relating to
        pursuing an investigation. 

   4.2. For general security information, please see

        ftp://info.cert.org/pub/

   4.3. To report an incident, please complete and return

        ftp://info.cert.org/pub/incident_reporting_form



Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

The CERT Coordination Center is sponsored 
by the Defense Advanced Research Projects Agency (DARPA). 
The Software Engineering Institute is sponsored by the U.S.  Department of Defense.

------------------------------------------------

[email protected]