Re: ProFTPD still vulnerable (Sarge)
On Thu, Nov 30, 2006 at 07:28:53AM +0100, Lupe Christoph wrote:
> Hi!
>
> On 23. November I updated the proftpd package on a Sarge machine that
> regretably has to have FTP open to the world. Soon after, somebody ran
> many attempts to log in as 'Administrator'. These attempts ran again on
> the 28th and again on the 29th.
>
> On that day, they managed to make proftp fall over:
>
> Nov 29 03:35:54 somehost proftpd[9887]: connect from 210.64.51.245 (210.64.51.245)
> Nov 29 03:36:15 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session opened.
> Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - no such user 'Administrator'
> Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 1 usecs
> Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - mod_delay/0.4: delaying for 63 usecs
> Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - ProFTPD terminating (signal 11)
> Nov 29 03:36:16 somehost proftpd[9887]: somehost.example.com (210.64.51.245[210.64.51.245]) - FTP session closed.
>
> The attacks ceased before I noticed, so I was not able to capture a TCP
> stream. I would just like to alert people that there is still some
> vulnerability in the ProFTPD code that was not fixed by DSA-1218-1.
>
This is unfortunately an effect of an issue with the old mod_delay patch.
It's not an exploiting of the known issue. You have to either disable mod_delay or use
1.2.10-20sarge1 which is available at http://people.debian.org/~frankie/debian/sarge
That is in use successfully since ages on high-load server like alioth.
The sarge1 version also manages the 3 recent security issues.
--
Francesco P. Lovergine
Reply to: