Exactly -- Serv-U isn't often reported to be a favorite target of hackers in any of the links provided or in any of the 1st page results I got Googling "Serv-U security holes". It's more often reported to be a favorite tool of hackers. Hackers used Serv-U because they could install it on your machine without you knowing it and use your bandwidth and power for their FTP server. Virtually every program that is open to the internet has been compromised at some point since its development. My point is that just because hackers use Serv-U, doesn't say ANYTHING bad about the program at all. When you do find some write-ups of security issues with Serv-U's older versions, they are almost always attributed to the Windows OS on which it's installed. Even the buffer overrun problems in 2.5 that I read about were OS issues which the software had to go out of its way to address in the security patches.
--Ferg Dan G. Switzer, II wrote: >Charlie, > > > >>If I have the choice of 'product A' or 'product B', and product A is >>documented as being overwhelmingly targeted by hackers, I think that >>should be a factor in my decision. But hey, to each their own and >>all. >> >> > >I think you may be misreading some of the Serv-U quotes. It's not "targeted" >by hackers, but hackers commonly use builds of Serv-U v2 once they have >compromise a server so they can FTP in to the server. It's not that they >compromise Serv-U (although there have been security holes found in some >older versions,) it's that they would install a copy of Serv-U to use as a >way to access the server. > >There's a difference between hackers using an application and exploiting the >application. The reason Serv-U became so popular to use as a "backdoor" was >because early versions of Serv-U only needed an INI file (no installation,) >it left a very small memory footprint and was pretty easy to hide a process. >Not to mention, it was such a popular FTP server that it might often go >overlooked if found, because admins are used to seeing it installed on their >servers. > >In my experience, I've found Serv-U to be really secure in the past. >Granted, as the program has grown, so have the potential for security holes, >but Rob's always been good about patching problems quickly. > >-Dan > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:220572 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
