[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wu-ftp segfault

On Wed, 3 May 2000, Bryan Andersen wrote:

> Time to see if there are any signs of a system compromize.
> Unfortunatly I'm no expert on that.  If your using tripwire this would
> be a good time to check the integrity of system binaries.  If not, 
> look for directories like "..." or ".. " or ". ".  Note, programs like 
> ls, find, etc may be trojaned so they won't show parts of the root 
> kit.  Is there any unusual activity from the machine?  A binary that 
> is usually not trojaned is tar.  You can do a 
>   "tar xvvf /dev/null > /tmp/l" 
> then look thorugh /tmp/l to see if there are any unusual files or 
> directories.  Note it is possible for additional modules to be loaded 
> into the kernel that modify the file system handling to better hide 
> the root kit and the operation of it's payload.
> If you do find your system is compromised, wu-ftpd needs to be audited 
> to look for more weak spots in it's code.  The fact that you had 
> segmentation faults tells me there is likely an exploit for 2.6.0 
> wu-ftpd.  It's just not generally known yet.
I could not detect anything anormal.

What about the optimistic approach to send a kind e-mail to the
user which was logged in via ftp and ask him what might has happened?

Kind regards


Reply to: