1. DESCRIPTION This document provides a general overview of problems associated with abuses of anonymous FTP (File Transfer Protocol) areas. It includes information that will help you respond to and recover from such activity. This document addresses two issues relating to anonymous FTP abuse (details are in Section 3): - Software piracy (the distribution of stolen software, copyrighted or proprietary materials, or similar information) (Sec. 3.1) - Misconfigured/compromised FTP server (Sec. 3.2) Anonymous archives may be provided in a number of ways, most commonly through anonymous FTP (although similar services can be provided via other protocols such as FSP and NFS). Some sites configure their anonymous FTP servers to allow writable areas (for example, to make available incoming or "drop-off" directories for files being sent to the site). If these files can be *read* by anonymous FTP users, then the potential for abuse exists. Abusers often gather and distribute lists describing the locations of vulnerable sites and the information these sites contain. The lists commonly include the names of writable directories and the locations of pirated software; they may also include password files and/or other sensitive information. Unfortunately, there have been many cases in which system administrators are unaware that this abuse is taking place on their archive. They may be unfamiliar with this type of abuse (and so haven't taken steps to prevent it), or they may think that they have configured the archive to prevent abuse when, in fact, they have not. System administrators at the sites being used to place/pick up items from the drop-off area may also not be aware that their users are participating in this activity. Finally, an anonymous archive server actually may be misconfigured or compromised. This misconfiguration/compromise could, in addition to the abuses mentioned above, provide someone with the ability to run processes under the UID of the FTP daemon. 2. TECHNICAL ISSUES 2.1. A file can be placed in the writable area of the anonymous FTP server. If this area is also readable, anyone who can connect to the anonymous FTP server can obtain a copy of the file. 2.2. Specifically, abusers do the following: - Store and retrieve information. This information is often placed in unusual or hidden files (e.g., files that start with a period or space and normally not shown by "ls") that may be placed in hidden directories, possibly nested within several layers and not readily apparent. - Gather information about the availability of sites where the anonymous FTP areas are abused, then compile a comprehensive listing (known as "warez" lists) of the locations. The lists typically include the names of writable directories and the locations of pirated software; they may also include entries for accounts and passwords. Please note that these lists may nor may not be out of date; there is no way to tell if the information is accurate without checking each site. - Disseminate information about the location of such materials via email, Internet Relay Chat (IRC), posting to newsgroups or bulletin-board services, or other means. - Use this information for personal, commercial or political gain, or carry out attacks against other individuals or organizations. - Abuse a vulnerable archive site for a short span of time and then move on to other sites. - Leverage this access and/or exploit system configuration weaknesses to gain other privileged access. 2.3. Some sites have reported many hundreds of connections in a very short span of time that have been identified as "puts" and "gets", e.g., to store and retrieve pirated software, on their anonymous archive server. This may cause a denial of service, crash the system, or consume disk space on the system. 2.4. FSP is an anonymous archiving service that is similar to FTP. It is a UDP-based service that often uses the privileged UDP port 21. However, we have seen cases where users or intruders have established their own FSP service on a non-privileged UDP port. Although FSP in itself is not a problem, it has the same potential for abuse as FTP. 3. WHAT YOU CAN DO 3.1. Software piracy 3.1.1. Detection 3.1.1.1. Develop in-house tools to parse the logs generated from accesses to your server for puts/gets (e.g., "STOR" and "RETR" sessions). Review this information for unusual or unexpected activity. 3.1.1.2. Regularly review the contents of your archive's incoming or "drop-off" area to identify abuse, then follow-up in accordance with relevant policies and procedures in your organization. 3.1.1.3. Check for hidden directories (directories with spaces, special or control characters, etc.). 3.1.1.4. If you do not intend to offer an FSP service, examine your systems for UDP services available on port 21. NOTE: If a user offers an unauthorized FTP or FSP service on an unprivileged port, it may be difficult to detect the service without a port scan. 3.1.2. Reaction 3.1.2.1. If you believe that your anonymous archive is being used for distributing pirated software, we encourage you to review the directories/files created as a result of this abuse in accordance with policies and procedures that may be in place within your organization. 3.1.2.2. If you discover that your anonymous archive has been misused and you find any lists containing references to other sites, we encourage you to do the following; - Determine where the unauthorized access(es) originated (because these sites may themselves be compromised). - Review the contents of any files or directories (in accordance with policies and procedures) for references to other sites or account/password combinations. - Notify any sites you identified, alerting them to the activity and asking them to check for potential misuse or compromise. To find site contact information, please refer to ftp://info.cert.org/pub/whois_how_to Feel free to include a copy of this document in your message to the sites, especially those sites that include a password file or host/account/password combination. These sites will want to check for further compromise. 3.1.3. Prevention 3.1.3.1. Review the CERT "tech tip" on anonymous FTP to ensure your FTP server has been configured correctly. This tech tip provides suggestions for configuring an anonymous FTP area. The document is available from ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config 3.1.3.2. Regularly review the contents of your anonymous archive to identify abuses and follow up as outlined above. 3.1.3.3. Use tools (such as Tripwire) to check file and directory integrity. You can get Tripwire and other tools from ftp://info.cert.org/pub/tools/ 3.2. Compromised FTP server 3.2.1. Detection 3.2.1.1. Develop in-house tools to parse your FTP logins for puts/gets (e.g., "STOR" and "RETR" sessions). Review this information for unusual or unexpected activity. 3.2.1.2. Review the contents of your FTP directories on a regular basis for inappropriate files. Check also for hidden directories (directories with spaces or special/control characters). 3.2.1.3. Ensure there has been no unauthorized modification to ANY existing files (or addition of new files) on your archive (including the ftp daemon). 3.2.1.4. Ensure there has been no addition of files with a security impact (such as ~ftp/.rhosts). We have had reports where abusers have replaced an original file with a Trojan horse version of a file (or daemon). There are tools available (e.g., Tripwire) that can help you check file integrity (see Sections 3.1.3.3 and 4.2). 3.2.2. Reaction 3.2.2.1. Follow any policies and procedures that you (or your site or organization) may have in place. 3.2.2.2. We encourage you to check for signs of compromise using our "CERT Generic Security Information" available from ftp://info.cert.org/pub/tech_tips/security_info We encourage you to consult past CERT advisories, CERT summaries, and vendor bulletins, and apply what is relevant to your particular configuration. We also urge you to obtain and install all applicable patches or workarounds described in advisories and bulletins on widely used services such as rdist, tftp, ftpd, anonymous FTP, NFS, and sendmail. Past CERT advisories, CERT summaries, and vendor bulletins are available from ftp://info.cert.org/pub/cert_advisories ftp://info.cert.org/pub/cert_summaries ftp://info.cert.org/pub/cert_bulletins 3.2.2.2. Review the CERT "tech tip" on anonymous FTP. This tech tip provides suggestions for configuring an anonymous FTP area, and the information will help to minimize undesirable activity on the FTP server. The file is available from ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config 3.2.2.3. If you discover that your FTP area has been misused and you find lists containing references to other sites, we encourage you to take these steps: - Complete and return the CERT/CC Incident Reporting Form, available from ftp://info.cert.org/pub/incident_reporting_form This completed form will help us better assist you. - Determine where the unauthorized access(es) originated. - Review the contents of files or directories for references to other sites or account/password combinations. - Notify any identified sites, alerting them to the activity and asking them to check for potential misuse. To find site contact information, please refer to ftp://info.cert.org/pub/whois_how_to Feel free to include a copy of this document in your message to the sites, especially those that include a password files or host/account/password combination. They will want to check for further compromise. 3.2.3. Prevention 3.2.3.1. Ensure that your FTP area is correctly configured to prevent misuse in this manner. 3.2.3.2. Regularly review the configuration and contents of your FTP area to identify abuses and follow-up as outlined above. 4. ADDITIONAL SECURITY MEASURES THAT YOU CAN TAKE 4.1. If you have questions concerning legal issues, we encourage you to work with your legal counsel. U.S. sites who are interested in an investigation of this activity can contact the FBI: FBI National Computer Crimes Squad Washington, DC +1 202 324-9164 Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps relating to pursuing an investigation. 4.2. For general security information, please see ftp://info.cert.org/pub/ 4.3. To report an incident, please complete and return ftp://info.cert.org/pub/incident_reporting_form Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. The CERT Coordination Center is sponsored by the Defense Advanced Research Projects Agency (DARPA). The Software Engineering Institute is sponsored by the U.S. Department of Defense.