Re: wu-ftp segfault
Andreas Tille wrote:
> On Wed, 3 May 2000, Bryan Andersen wrote:
> > Check your version number for WU-FTPD. It should be 2.6.0 or higher.
> ~> dpkg --status wu-ftpd
> Package: wu-ftpd
> Status: install ok installed
> Priority: optional
> Section: net
> Installed-Size: 415
> Maintainer: Chris Butler <email@example.com>
> Version: 2.6.0-5
> > A quick jump over to CERT shows you need to have version 2.6.0 of
> > wu-ftpd or latter to avoid the known attacks against it. Looking at
> > both the frozen and unstable releases we should be up to date. It may
> > be that there is a new exploit.
> The version should be OK. How to proceed now?
> There were alltogether 5
> wu-ftpd[.*]: exiting on signal 11: Segmentation fault
> which occured in a time of 45 minutes. All connections while this
> time were established from ith2-d69.twcny.rr.com .
> Could it be a potentionally exploit or a bug in wu-ftpd. I do logcheck
> observations since one month and never detected such things before.
Time to see if there are any signs of a system compromize.
Unfortunatly I'm no expert on that. If your using tripwire this would
be a good time to check the integrity of system binaries. If not,
look for directories like "..." or ".. " or ". ". Note, programs like
ls, find, etc may be trojaned so they won't show parts of the root
kit. Is there any unusual activity from the machine? A binary that
is usually not trojaned is tar. You can do a
"tar xvvf /dev/null > /tmp/l"
then look thorugh /tmp/l to see if there are any unusual files or
directories. Note it is possible for additional modules to be loaded
into the kernel that modify the file system handling to better hide
the root kit and the operation of it's payload.
If you do find your system is compromised, wu-ftpd needs to be audited
to look for more weak spots in it's code. The fact that you had
segmentation faults tells me there is likely an exploit for 2.6.0
wu-ftpd. It's just not generally known yet.
| Bryan Andersen | firstname.lastname@example.org | http://softail.visi.com |
| Buzzwords are like annoying little flies that deserve to be swatted. |
| -Bryan Andersen |