Just wanted to bring to everyone's attention that a zer0day in MS FTP Server has emerged today. If you update Blink, you should receive audits that will detect if your system is susceptible to this vulnerability. For those using FTP, now would be a good time to thoroughly look over your MS FTP Server for anything suspicous as outlined in the audit's Urgent note below.
Furthermore, the public exploit uses anonymous access, but even if the server was locked down, the system is still suspectible to attack via a compromised account or malicious user with the right privileges. Remember too that adding a user is one of many outcomes of a successful attack, so be thorough and mindful of anything suspicious or out of the ordinary.
Description:
Microsoft FTP Server contains a buffer overflow vulnerability when handling a specially crafted sequence of commands and data that could allow a remote attacker to execute arbitrary code or cause the service to crash.
Solution:
The best form of mitigation is to disable the FTP Service if not needed. Alternatively, restrict access to the FTP server to only trusted users, disable anonymous FTP access (Verifiable with Audit ID 42 - "Anonymous FTP"), and disable write permissions (i.e. permissions that allow directories or files to be created, Verifiable with Audit ID 65 - "Anonymous Write") to deter exploitation.
Urgent Note:
If the "winown" user is detected on the system, then it is strong indication that the system has been compromised by public exploit code. This, however, should not be considered a sole indication of exploitation since attackers can easily modify exploit code to perform functions of their choosing. As such, the system should be thoroughly audited and monitored for suspicious activity. Some indicators may include, but are not limited to: new usernames, new file shares, file permission changes, existing account passwords or groups changes, suspicious log file entries, suspicious network traffic, network or system resource consumption, system instability, security applications malfunctioning, suspicious ports or services, increase/decrease of event log alerts, unscheduled system reboots, etc. For further incident response details, consult the appropriate team or user within the organization or contact the appropriate vendor.