ProFTPD still vulnerable (Sarge)
Hi!
On 23. November I updated the proftpd package on a Sarge machine that
regretably has to have FTP open to the world. Soon after, somebody ran
many attempts to log in as 'Administrator'. These attempts ran again on
the 28th and again on the 29th.
On that day, they managed to make proftp fall over:
Nov 29 03:35:54 somehost proftpd[9887]: connect from 210.64.51.245 (210.64.51.245)
Nov 29 03:36:15 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session opened.
Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - no such user 'Administrator'
Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 1 usecs
Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 63 usecs
Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - ProFTPD terminating (signal 11)
Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session closed.
The attacks ceased before I noticed, so I was not able to capture a TCP
stream. I would just like to alert people that there is still some
vulnerability in the ProFTPD code that was not fixed by DSA-1218-1.
More if this happens again and I manage to run tcpdump in time.
Lupe Christoph
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |
Reply to: