After probing the setup/config in the search for where/how to remove the “public” folder, or to chroot jail all users to that folder, I came across a section in the file wd-nas.conf
FTP Login Support
supportFTPLogin=“apollo_user:4poll0_u!”
For real? A backdoor delivered straight out of the box?
After probing the setup/config in the search for where/how to remove the “public” folder, or to chroot jail all users to that folder, I came across a section in the file wd-nas.conf
FTP Login Support
supportFTPLogin=“apollo_user:4poll0_u!”
For real? A backdoor delivered straight out of the box?
The wd-nas.conf file isn’t an “active” configuration. It just contains configuration variables that are used to create the live configuration data.
All you have to do is examine the actual FTP configuration file and see that information is NOT used.
Heck; just try logging in via FTP to the box and try those credentials… they don’t work.
If you want to keep digging into it, just grep through the various scripts for references to the variable “supportFTPLogin” to see where it’s referenced and how it’s used.
Thank you for your answer Tony, with 23300 posts I`ll think twice before disagreeing with you And as you suggested, I tested the login info before posting here of course, with no luck to log on. If I had been able to log on, well…
But that does not mean that its all sunshine, all it takes is one little script to activate those settings, or export them to the vsftpd.conf-file. Truth be told, I havent searched all the scripts on this install.
And why would SUPPORT want FTP access?
Leaving redundant code in config-files is nothing new, take a look at sshd_config. But leaving “redundant” ACCOUNTS hidden is another level of stupidity/control. Here there be dragons my friend. After running OpenBSD for 18 years, it makes me extremely weary. I dont have a tinfoil hat, but I sure am concidering making one