Re: wu-ftp segfault

To: Andreas Tille <tillea@rki.de>
Cc: Debian Development liste <debian-devel@lists.debian.org>
Subject: Re: wu-ftp segfault
From: Bryan Andersen <bryan@visi.com>
Date: Wed, 03 May 2000 03:54:15 -0500
Message-id: <[🔎] 390FE937.FDF088C8@visi.com>
Reply-to: bryan@visi.com
References: <[🔎] Pine.LNX.4.21.0005030951450.27595-100000@wr-linux02.rki.de>

Andreas Tille wrote:
> 
> On Wed, 3 May 2000, Bryan Andersen wrote:
> 
> > Check your version number for WU-FTPD.  It should be 2.6.0 or higher.
> ~> dpkg --status wu-ftpd
> Package: wu-ftpd
> Status: install ok installed
> Priority: optional
> Section: net
> Installed-Size: 415
> Maintainer: Chris Butler <chrisb@sandy.force9.co.uk>
> Version: 2.6.0-5
> 
> > A quick jump over to CERT shows you need to have version 2.6.0 of
> > wu-ftpd or latter to avoid the known attacks against it.  Looking at
> > both the frozen and unstable releases we should be up to date.  It may
> > be that there is a new exploit.
> The version should be OK.  How to proceed now?
> There were alltogether 5
>    wu-ftpd[.*]: exiting on signal 11: Segmentation fault
> which occured in a time of 45 minutes.  All connections while this
> time were established from ith2-d69.twcny.rr.com .
> 
> Could it be a potentionally exploit or a bug in wu-ftpd.  I do logcheck
> observations since one month and never detected such things before.

Time to see if there are any signs of a system compromize.

Unfortunatly I'm no expert on that.  If your using tripwire this would
be a good time to check the integrity of system binaries.  If not, 
look for directories like "..." or ".. " or ". ".  Note, programs like 
ls, find, etc may be trojaned so they won't show parts of the root 
kit.  Is there any unusual activity from the machine?  A binary that 
is usually not trojaned is tar.  You can do a 
  "tar xvvf /dev/null > /tmp/l" 
then look thorugh /tmp/l to see if there are any unusual files or 
directories.  Note it is possible for additional modules to be loaded 
into the kernel that modify the file system handling to better hide 
the root kit and the operation of it's payload.

If you do find your system is compromised, wu-ftpd needs to be audited 
to look for more weak spots in it's code.  The fact that you had 
segmentation faults tells me there is likely an exploit for 2.6.0 
wu-ftpd.  It's just not generally known yet.

-- 
|  Bryan Andersen   |   bryan@visi.com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |

Reply to:

Follow-Ups:
- Re: wu-ftp segfault
  - From: Andreas Tille <tillea@rki.de>

References:
- Re: wu-ftp segfault
  - From: Andreas Tille <tillea@rki.de>

Prev by Date: Re: [Debian]:sawmill
Next by Date: Re: potato late, goals for woody (IMHO)
Previous by thread: Re: wu-ftp segfault
Next by thread: Re: wu-ftp segfault
Index(es):
- Date
- Thread