[Lvlug] Need more eyeballs to stop Grim's Ping

Faber Fedor faber@linuxnj.com
Thu, 30 May 2002 23:24:55 -0400


Here's an interesting little tale that I just experienced.  I thought
I'd throw it out to everyone here for fun (I love it when I shoot
trouble) and prosperity (this ML gets archived on google, et. al) and to
ask for a little help (more eyes).

A new client of mine runs a web hosting company.  Some of his clients
hold online webcam chats with their clients.  The website owner will use
software like Webcam32 to upload her webcam pics via ftp to the site while 
the client downloads the pics via ftp.  Somewhere in there conversation
is held.

For awhile now their ftp connections have been timing out.  iMy client
says it's been happening since the "security upgrade" to RH 7.0 (!!)
According to Webcam32 and other vendors, it's a "unix problem" (yeah,
right!).  Well, I noticed in /var/log/messages entries like this:

May 26 21:54:18 ns1 ftpd[13208]: ANONYMOUS FTP LOGIN FROM
blarg.foo.bar.net [1.2.3.4], Igpuser@home.com

These connections are occuring multiple times *a second*.  Also, the
username is of the form [A-Z]gpuser@home.com (if you don't understand
that, do a "man 7 regex" at the command line and RTFM :-).

After some searching on google, I discovered that this message is the
tell-tale sign of Grim's Ping (http://grimsping.cjb.net/), a tool that
is used by warez kiddies to find public ftp sites that they can upload
their warez to!

Why would this cause the webchats to time out?  Because the server is
using xinetd and is set to disable a service if too many connections
come in too fast for a particular service (inetd will do the same thng,
BTW; inetd defaults to 40 connections, xinetd defaults to unlimited but
Red Hat sets it at 60).  So, when Grim does his Ping, xinetd disables
ftp for 30 seconds.

Okay, so I found the problem.  Now, how to solve it?  That's where you
guys come in.  I've been through google, google groups, and
securityfocus.com and the one and only solution I've found is to remove
the world-readable permissions from the public ftp directories.  I've
already done that, but I find it hard to believe that is all I have to
do.  Can anyone find A) another reference to this solution or B) another
solution?


Damn, I love this sh*t! :-)


-- 
 
Regards,
 
Faber                     

+--------------------------------------+
       Linux New Jersey presents       
  Linux Boot Camp at PC EXPO/TechXNY!  
         For more information: 
        http://www.linuxnj.com
+--------------------------------------+