Re: wu-ftp segfault
On Wed, 3 May 2000, Bryan Andersen wrote:
> Time to see if there are any signs of a system compromize.
> Unfortunatly I'm no expert on that. If your using tripwire this would
> be a good time to check the integrity of system binaries. If not,
> look for directories like "..." or ".. " or ". ". Note, programs like
> ls, find, etc may be trojaned so they won't show parts of the root
> kit. Is there any unusual activity from the machine? A binary that
> is usually not trojaned is tar. You can do a
> "tar xvvf /dev/null > /tmp/l"
> then look thorugh /tmp/l to see if there are any unusual files or
> directories. Note it is possible for additional modules to be loaded
> into the kernel that modify the file system handling to better hide
> the root kit and the operation of it's payload.
> If you do find your system is compromised, wu-ftpd needs to be audited
> to look for more weak spots in it's code. The fact that you had
> segmentation faults tells me there is likely an exploit for 2.6.0
> wu-ftpd. It's just not generally known yet.
I could not detect anything anormal.
What about the optimistic approach to send a kind e-mail to the
user which was logged in via ftp and ask him what might has happened?