Tiger..

To respond to the FTP questions:

Yes, the FTP account(s) can be defined with rights to any portion of the filesystem (mount points).

As to the level of access, there is no "admin" equivalency (as in Windows) in Unix/Solaris/Linux. While an FTP account could have been created with full filesystem access, its doubtful that the account would have been able to have sufficient rights to modify the filesystem enough to own it (
'root' it).

Its more likely that this scenario played out (unless a buffer-overflow or weakness in the FTP deamon was exploited):

- rootbeer account broken / password guessed
- FTP is defined such that the root '/' fileystem is exposed
- rootbeer ftp user pulls down the /etc/passwd and /etc/shadow files and generates a crack
against 'root'

Another scenario is that user rootbeer is broken, then the system accessed via telnet/ssh/whatever and rootbeer launches some binary that opens an new outbound port/service that provides for additional filesystem exposure.

At any rate, without audit logs, syslog, etc -- its all just speculation.

It is entertaining to perform these kinds of post-mortem reviews and if Penguin could put the logs (usually found in /var/log) online for us to review, it could allow us to be further educated.