On Dec 14, 2016, at 4:18 PM, Shawn K. Quinn <skquinn@rushpost.com> wrote:
On 12/14/2016 03:07 PM, John Newman wrote: Naught to do with Debian, but goddam I'm sick of seeing IPs from all over the world logging into our one anon ftp server and recursively trying to upload Photo.scr over and over, until the little monitor script catches and blocks it.
The file is of course actually a Windows executable, not a ".scr" file...
First, why the hell are you running an anonymous FTP server in 2016?! FTP needs to die... it was designed in an era where it was acceptable to send passwords across the internet in plain text. That era is long gone. HTTP (really HTTPS now) for downloads, and SFTP/SCP for the use cases where HTTP(S) won't really fit.
Not up to me my friend. Server in question supposedly facilitates some public data eg supports large transfer for various shit like big chunks of the human genome project, other pubmed data, etc. I agree it's foolish, but I simply maintain the system, against recommendations I've made to superiors! It's a UNIX system btw, well, redhat, running vsftpd, with a simple perl script I've written to trail the logs and blackhole anybody that looks nefarious. Kind of a very narrow fail2ban type thing...
Second, if I remember right, .scr *is* a type of Windows executable (originally used for screensavers). Thank Microsoft for that one... most people wouldn't recognize .scr the way they would, say, .exe, .dll, and the like. This is why I like the Unix method a lot better: if you want to run something, you either have to feed it to something like bash or python on the command line, or give it execute permissions. Of course, the flip side of this is that mounting stuff over SMB has the executable bit set on everything, even stuff for which an execute action would not make any sense... which kind of shoots down this rudimentary security mechanism. (Again, blame Microsoft, who clearly thinks the existence of an execute permission bit is redundant.)
For some reason I thought windows .scr files were bitmaps or pngs or something... Anyway, all I know is when I run "file Photo.scr" I get back "Win32 EXE.." or whatever the precise output is, I don't recall (typing this on a phone on the subway) I calculated the md5 first few times I saw it and looked it up - it's this guy: http://www.securityweek.com/photominer-worm-spreads-insecure-ftp-servers We haven't had any actual infections, I just see the fucking thing knocking on the door (and getting blocked and nuked) all the time. Sets itself up as a bitcoin miner with successful infection. And I totally agree re: Microsoft. Can't stand working with their shit. Security is intolerable (pass the hash has worked for like 20 years, not to mention a million other flaws, and the aesthetics are horrible compared to UNIX..)
Not much I haven't said before, though: <http://www.rantroulette.com/tag/microsoft>
-- Shawn K. Quinn <skquinn@rushpost.com> http://www.rantroulette.com http://www.skqrecordquest.com