I might have been wrong on the package version ... it's proftpd 1.3.3a (seen in the log), but I m not sure on the "-5" part for the package version (I got it from the package.debian.org website when looking for 1.3.3a proftpd package in squeeze before being able to access my box) ... If so, it could be the IAC Remote Root exploit mentionned in #602769. (It would explain the great number of suspect lines in the logs) I'll check the exact version I had and if it was a vulnerable 1.3.3a, then I'll apologize profoundly.
On Mon, 15 Nov 2010 15:15:03 +0100, "Francesco P. Lovergine" <[email protected]> wrote: > On Mon, Nov 15, 2010 at 03:05:17PM +0100, Jean Couillaud wrote: >> I suspected proftpd and a quick look at the proftpd logs shows a really >> great number of login attempts (bruteforce like) and several "too long >> command" thingies (I'll be more specific this evening), the one last >> being >> at the exact same time the mod_facl error and the psadmin user creation. >> You said mod_facl is not active by default. It's quite strange since I >> didn't remember modifying the proftpd configuration since I installed it >> a >> few month ago. >> > > As said, mod_facl is not active by default, and the whole content of > your /etc/proftpd directory would help to understand what happened > and if it is due to proftpd or what else. Note that you had also > installed an apache server (with possibly some webapps?). -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

