RE: strange proftpd segfault and conntrack_ftp messages

To: "Sven Hoexter" <sven@telelev.net>, <debian-security@lists.debian.org>
Cc: "Christian Hammers" <ch@westend.com>
Subject: RE: strange proftpd segfault and conntrack_ftp messages
From: "Gary MacDougall" <gary@freeportweb.com>
Date: Thu, 3 Jan 2002 11:31:38 -0500
Message-id: <[🔎] ADECINAPILIIOCDLADFDMEGICMAA.gary@freeportweb.com>
In-reply-to: <[🔎] 20020103102420.GA8573@voyager.telelev.de>

I find it interesting that the seg fault happened, then xinetd reported it
failed.
I wonder if its not proftp, but xinet...
just a thought.

g.


-----Original Message-----
From: Sven Hoexter [mailto:sven@telelev.net]
Sent: Thursday, January 03, 2002 5:24 AM
To: debian-security@lists.debian.org
Cc: Christian Hammers
Subject: Re: strange proftpd segfault and conntrack_ftp messages


On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote:
> Hello
>
> Does anybody know a security bug for which this could be a hint?
> (hostname and ip's faked for obvious reasons)
>
> The server runs:
> 	kernel 2.4.11-pre6
> 	xined_2.1.8.8p3-1.1.deb
> 	proftpd_1.2.4-2.deb
>
> Except from that the IP only did some normal web browsing without any
> tricks like tried cgi accesses or similar.
>
> TIA,
>
> -christian-
>
> On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote:
> > Jan  2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1
> > Jan  2 15:44:18 server proftpd[3420]: server.domain
(111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login
attempted.
> > Jan  2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1
> > Jan  2 15:44:31 server proftpd[3425]: server.domain
(111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11)
> > Jan  2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425
duration=8(sec)

The SECURITY VIOLATION message is ok and only occures when somebody tries to
login with root over ftp.
The SIG 11 seems to be another problem.
Please try to reproduce this with proftpd in standalone mode with the -nd 5
flags
for debugging.

Sven

--
>Lamer! :)\n Lokaler Admin mit enormen Rechten[tm]
[Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf]
http://www.linux-secure.de http://www.linuxboard.de
http://www.bluephod.net http://www.disconow.de


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001

Reply to:

Follow-Ups:
- Re: strange proftpd segfault and conntrack_ftp messages
  - From: Christian Hammers <ch@westend.com>

References:
- Re: strange proftpd segfault and conntrack_ftp messages
  - From: Sven Hoexter <sven@telelev.net>

Prev by Date: Re: mounting /tmp noexec
Next by Date: Re: strange proftpd segfault and conntrack_ftp messages
Previous by thread: Re: strange proftpd segfault and conntrack_ftp messages
Next by thread: Re: strange proftpd segfault and conntrack_ftp messages
Index(es):
- Date
- Thread