Re: wu-ftp segfault

To: Bryan Andersen <bryan@visi.com>
Cc: Debian Development liste <debian-devel@lists.debian.org>
Subject: Re: wu-ftp segfault
From: Andreas Tille <tillea@rki.de>
Date: Thu, 4 May 2000 08:01:05 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.21.0005040752500.2822-100000@wr-linux02.rki.de>
In-reply-to: <[🔎] 390FE937.FDF088C8@visi.com>

On Wed, 3 May 2000, Bryan Andersen wrote:

> Time to see if there are any signs of a system compromize.
> 
> Unfortunatly I'm no expert on that.  If your using tripwire this would
> be a good time to check the integrity of system binaries.  If not, 
> look for directories like "..." or ".. " or ". ".  Note, programs like 
> ls, find, etc may be trojaned so they won't show parts of the root 
> kit.  Is there any unusual activity from the machine?  A binary that 
> is usually not trojaned is tar.  You can do a 
>   "tar xvvf /dev/null > /tmp/l" 
> then look thorugh /tmp/l to see if there are any unusual files or 
> directories.  Note it is possible for additional modules to be loaded 
> into the kernel that modify the file system handling to better hide 
> the root kit and the operation of it's payload.
> 
> If you do find your system is compromised, wu-ftpd needs to be audited 
> to look for more weak spots in it's code.  The fact that you had 
> segmentation faults tells me there is likely an exploit for 2.6.0 
> wu-ftpd.  It's just not generally known yet.
I could not detect anything anormal.

What about the optimistic approach to send a kind e-mail to the
user which was logged in via ftp and ask him what might has happened?

Kind regards

         Andreas.

Reply to:

References:
- Re: wu-ftp segfault
  - From: Bryan Andersen <bryan@visi.com>

Prev by Date: ITP: bubblemon (Gnome Panel Load Applet)
Next by Date: Re: admin: General change to mail in the @debian.org domain
Previous by thread: Re: wu-ftp segfault
Next by thread: Re: ITP: Zope tutorial (plus overriding problems)
Index(es):
- Date
- Thread