1993-06-08 - CERT: the letter from CERT to berkeley.edu admin

Header Data

From: Eric Hughes <hughes@soda.berkeley.edu>
To: cypherpunks@toad.com
Message Hash: 41f4a4bd6bdec31f299f4d342e899486a5cb7c4f7b5da98d7fb470b687d83109
Message ID: <9306081620.AA07331@soda.berkeley.edu>
Reply To: N/A
UTC Datetime: 1993-06-08 16:24:11 UTC
Raw Date: Tue, 8 Jun 93 09:24:11 PDT

Raw message

From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Tue, 8 Jun 93 09:24:11 PDT
To: cypherpunks@toad.com
Subject: CERT: the letter from CERT to berkeley.edu admin
Message-ID: <9306081620.AA07331@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain

Here, in its almost full glory, is the letter that CERT sent to the
admin at berkeley.  I've removed the addressee, since there's no need
to involve that person.  I have not, however, removed the name of the

Don't you just love that phrase "illegal trading of commercial


	To: <someone>@ucbvax.Berkeley.EDU
	Subject: Possible abuse of anonymous FTP area on berkeley.edu host(s)
	Organization: CERT Coordination Center
	From: cert@cert.org
	Date: Wed, 02 Jun 93 16:56:55 -0400

	Hello <someone>,

	I am a member of the CERT Coordination Center.  CERT provides
	technical assistance in response to computer security incidents.

	Would you please forward this report to the appropriate system

	We have been passed information that indicates that the anonymous FTP
	archive on the following host(s) may be in use by intruders for
	illegal trading of commercial software:

>>>>>>>	 soda.berkeley.edu				/pub/cypherpunks

	We have not confirmed this information, nor have we identified that
	the anonymous FTP configuration on the above-listed host(s) is open
	for abuse.  

	While anonymous FTP areas can be put to good use, the intruder
	community makes use of them to illegally trade commercial software and
	other information.  Intruders often create "hidden" files or
	directories in order to conceal their activity.  On UNIX hosts,
	directory and file names of a form such as "..." (dot dot dot), "..  "
	(dot dot space space), or "..^G" (dot dot control-G) may be used.

	In some cases, intruders have abused anonymous FTP areas to such an
	extent that file storage has been exhausted and a system crash or
	denial of service has resulted.  

	We would encourage you to check your anonymous FTP archive for any
	such "hidden" files or directories by using the "ls -laR" command.

	We would appreciate feedback on the name of any software packages
	found at your site and the number of accesses to that software, if
	that information is available from your logs.  Please e-mail a summary
	of this information to "cert@cert.org" before deleting any such files
	and directories from your archive.

	For your information, I have appended some suggestions for anonymous
	FTP configuration.

	Thanks for checking into this incident, and please don't hesitate to
	contact us if we can be of any assistance.

	Katherine T. Fithen
	Technical Coordinator
	CERT Coordination Center
	Software Engineering Institute
	Carnegie Mellon University
	Pittsburgh, PA  15213-3890

	Internet e-mail:  cert@cert.org (monitored during business hours)
	Telephone:  412-268-7090 (answers 24 hours a day)