Here, in its almost full glory, is the letter that CERT sent to the admin at berkeley. I've removed the addressee, since there's no need to involve that person. I have not, however, removed the name of the sender. Don't you just love that phrase "illegal trading of commercial software"? Eric ----------------------------------------------------------------------------- To: <someone>@ucbvax.Berkeley.EDU Subject: Possible abuse of anonymous FTP area on berkeley.edu host(s) Organization: CERT Coordination Center From: cert@cert.org Date: Wed, 02 Jun 93 16:56:55 -0400 Hello <someone>, I am a member of the CERT Coordination Center. CERT provides technical assistance in response to computer security incidents. Would you please forward this report to the appropriate system administrator(s)? We have been passed information that indicates that the anonymous FTP archive on the following host(s) may be in use by intruders for illegal trading of commercial software:
> soda.berkeley.edu /pub/cypherpunks
We have not confirmed this information, nor have we identified that the anonymous FTP configuration on the above-listed host(s) is open for abuse. While anonymous FTP areas can be put to good use, the intruder community makes use of them to illegally trade commercial software and other information. Intruders often create "hidden" files or directories in order to conceal their activity. On UNIX hosts, directory and file names of a form such as "..." (dot dot dot), ".. " (dot dot space space), or "..^G" (dot dot control-G) may be used. In some cases, intruders have abused anonymous FTP areas to such an extent that file storage has been exhausted and a system crash or denial of service has resulted. We would encourage you to check your anonymous FTP archive for any such "hidden" files or directories by using the "ls -laR" command. We would appreciate feedback on the name of any software packages found at your site and the number of accesses to that software, if that information is available from your logs. Please e-mail a summary of this information to "cert@cert.org" before deleting any such files and directories from your archive. For your information, I have appended some suggestions for anonymous FTP configuration. Thanks for checking into this incident, and please don't hesitate to contact us if we can be of any assistance. Katherine T. Fithen Technical Coordinator CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet e-mail: cert@cert.org (monitored during business hours) Telephone: 412-268-7090 (answers 24 hours a day)