A little background: to allow my (l)users to exchange very big files
with our customers without clogging the mail server I setup an
anonymous-access-only ftp server. The machine is based on OpenBSD.

Every now and then, some dumbass is using it to dump some warez, and
every now and then a mail is sent to dumbass' provider and the shit is
removed with a quick rm -fr and (just for sanity) dumbass IP is in
the hosts.deny list.

Now, is a copule of days that I see this in my log:

Oct 21 03:55:13 servername ftpd[1148]: command: RETR /pub/httpd.conf
Oct 21 03:55:13 servername ftpd[1148]: <--- 550
Oct 21 03:55:13 servername ftpd[1148]: /pub/httpd.conf: No such file or dire
ctory.
Oct 21 03:55:13 servername ftpd[1148]: get /pub/httpd.conf
Oct 21 03:55:13 servername ftpd[1148]: command: CWD /pub/httpd.conf
Oct 21 03:55:13 servername ftpd[1148]: <--- 550
Oct 21 03:55:13 servername ftpd[1148]: /pub/httpd.conf: No such file or dire
ctory.

It looks to me that some dumbass is trying to get httpd.conf... pity
that the machine doesn't have apache installed, and even if it was
it wouldn't be there for them to take... but I wonder: why the hell
someone is interested in the httpd.conf of someonelse ?
When you have that little piece of crap what do you think you can do
with it? Does anyone have an idea about this?

Davide

[ Post a follow-up to this message ]

Davide Bianchi wrote:
quote:

>
> It looks to me that some dumbass is trying to get httpd.conf... pity
> that the machine doesn't have apache installed, and even if it was
> it wouldn't be there for them to take... but I wonder: why the hell
> someone is interested in the httpd.conf of someonelse ?
> When you have that little piece of crap what do you think you can do
> with it? Does anyone have an idea about this?


Hey long time no see.  How's it going these days?  Drop me a line.

Given the config file for a web browser, you could look in it to see
what else to retrieve.  It would be the starting point for a probe
attack.  The next step would be to probe for common holes since
plugged by patches, for unprotected directories, for too-easy
access to cgi-bin stuff, you name it.

[ Post a follow-up to this message ]

Doug Freyburger <dfreybur@yahoo.com> wrote:
quote:

> Hey long time no see.  How's it going these days?  Drop me a line.


...you sure I'm the person you think I am?
quote:

> Given the config file for a web browser, you could look in it to see
> what else to retrieve.  It would be the starting point for a probe
> attack.


Hummm... maybe I'm a little thick-minded, but to me it looks like
a doomed approach. Even knowing the absolute path of something on
the machine, the fact that Apache runs as user "nobody" (or similar),
means that you can't read anything interesting.
Anyway I'll keep shutting the door for these kind of things.

Davide

[ Post a follow-up to this message ]

Davide Bianchi wrote:
quote:

> Doug Freyburger <dfreybur@yahoo.com> wrote:
> 
>
>
> ...you sure I'm the person you think I am?
>
> 
>
>
> Hummm... maybe I'm a little thick-minded, but to me it looks like
> a doomed approach. Even knowing the absolute path of something on
> the machine, the fact that Apache runs as user "nobody" (or similar),


Yes, but how would the attacker know that... by looking at httpd.conf.
Maybe the attacker is probing for somebody clue-deprived enough to have
FPEd Apache.  Perhaps you could have some fun virtual hosts or virtual
directories like /credit_card_numbers or something :-).
quote:

> means that you can't read anything interesting.


True, but remember being able to execute code, even as nobody, puts the
attacker much closer to root.  Local priv-escalation exploits are easier
to use and less frequently patched-for than remote rooting exploits.
quote:

> Anyway I'll keep shutting the door for these kind of things.



--
+   Regards,                                      +
+   Nick                                          +
+                                                 +
+   My email address is real                      +

[ Post a follow-up to this message ]

Davide Bianchi wrote:
quote:

> Doug Freyburger wrote:
> 
>
> ...you sure I'm the person you think I am?


I guess not.  I worked with a Dave Bianchi at Collective Technologies
a few years ago.  Wrong Bianchi.
quote:
 
>
> Hummm... maybe I'm a little thick-minded, but to me it looks like
> a doomed approach.


Argeed but I'm with Nicholas B on that.  There will be enough clueless
installations that if it is a scripted attack it's low effort.

[ Post a follow-up to this message ]

Doug Freyburger <dfreybur@yahoo.com> wrote:
quote:

> I guess not.  I worked with a Dave Bianchi at Collective Technologies
> a few years ago.  Wrong Bianchi.


Well, "Bianchi" is a very common name and Davide isn't so strange either,
so, common mistake.
quote:

> Argeed but I'm with Nicholas B on that.  There will be enough clueless
> installations that if it is a scripted attack it's low effort.


Ok, I got the idea. I'll keep shutting down their IPs. Thanks.

Davide

[ Post a follow-up to this message ]