RE: proftpd exploit??
-Original Message- From: Marcelo Drudi Miranda [mailto:[EMAIL PROTECTED]] Sent: 26. svibanj 2001 4:49 To: [EMAIL PROTECTED] Subject: Re: proftpd exploit?? Em Thu, 24 May 2001 20:34:56 +0200 Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? That is in fact DoS attack. ftpd process will probably start eating as much memory as available. Regards, Bojan Zdrnja -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: proftpd exploit??
-Original Message- From: Marcelo Drudi Miranda [mailto:[EMAIL PROTECTED] Sent: 26. svibanj 2001 4:49 To: debian-security@lists.debian.org Subject: Re: proftpd exploit?? Em Thu, 24 May 2001 20:34:56 +0200 Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? That is in fact DoS attack. ftpd process will probably start eating as much memory as available. Regards, Bojan Zdrnja
Re: proftpd exploit??
[EMAIL PROTECTED] writes: Ok. I think that this thing is considered a DoS attack... This attack can be turned off adding the following line to the configuration file (- proftpd.conf -): [EMAIL PROTECTED]:/var/log $grep ^ftp /etc/security/limits.conf ftp hardrss 8192 Even with proftpd's broken PAM support, this will work, 'cos it at least calls pam_session* (which in turn calls closelog(3)...) Thanks to proftpd, which someone from South Corea segfaulted for hours on end a while ago. Since then, we are running a modified linux-ftpd... -- SIGSTOP
Re: proftpd exploit??
Matthias Richter wrote: Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... This is config problems... we discuss this problems in proftpd mailing lists before.. Please search the list (Jan or Feb, I don't remember) for the solutions.. :-) -- Shell Hung // // [EMAIL PROTECTED] // [EMAIL PROTECTED] // [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
On Sat, May 26, 2001 at 02:49:02AM +, Marcelo Drudi Miranda wrote: Em Thu, 24 May 2001 20:34:56 +0200 Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? -- Ok. I think that this thing is considered a DoS attack... This attack can be turned off adding the following line to the configuration file (- proftpd.conf -): --8-- DenyFilter \\*/ --8-- Thanks to proftpd, it give us a lot of configuration items and it is very flexible. That's all. Now in my language: Spanish Bien. Pienso que eso está considerado como un ataque DoS... Este ataque puede ser desactivado añadiendo la siguiente línea al fichero de configuración (- proftpd.conf -): --8-- DenyFilter \\*/ --8-- Gracias a proftpd, el nos da muchos campos de configuracion y es muy flexible.Eso es todo. -- yoros PGP signature
Re: proftpd exploit??
Em Thu, 24 May 2001 20:34:56 +0200
Matthias Richter [EMAIL PROTECTED] escreveu:
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM:
[proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../]
Any solution??
This is a exploit or a Dos atack?
--
| Marcelo Drudi Miranda Microelectronics Engineering Student |
| Debian GNU/Linux User Linux Registered User #177399 .zzz».|
|-//{{{}}}. |
| e-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED](( |
| Homepage: http://sim.lme.usp.br/~drudi \\ \* ` |
| \\ \ -|
\/
pgpd0AQVYqj6h.pgp
Description: PGP signature
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias pgpxeCmb0076U.pgp Description: PGP signature
Re: proftpd exploit??
Matthias Richter wrote: Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... This is config problems... we discuss this problems in proftpd mailing lists before.. Please search the list (Jan or Feb, I don't remember) for the solutions.. :-) -- Shell Hung // // [EMAIL PROTECTED] // [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: proftpd exploit??
On Sat, May 26, 2001 at 02:49:02AM +, Marcelo Drudi Miranda wrote: Em Thu, 24 May 2001 20:34:56 +0200 Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? -- Ok. I think that this thing is considered a DoS attack... This attack can be turned off adding the following line to the configuration file (- proftpd.conf -): --8-- DenyFilter \\*/ --8-- Thanks to proftpd, it give us a lot of configuration items and it is very flexible. That's all. Now in my language: Spanish Bien. Pienso que eso está considerado como un ataque DoS... Este ataque puede ser desactivado añadiendo la siguiente línea al fichero de configuración (- proftpd.conf -): --8-- DenyFilter \\*/ --8-- Gracias a proftpd, el nos da muchos campos de configuracion y es muy flexible.Eso es todo. -- yoros pgpvAxtc9ACZM.pgp Description: PGP signature
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias PGP signature
Re: proftpd exploit??
On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? what about PathDenyFilter? robt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Hi!! Thanks to everybody (and sorry for my english 0:) ) I've choosed the DenyFilter option and everything goes OK again :- The user just get and Forbidden command argument message. ... and certainly I'm subcribing my account to the proftpd mailing list ;-) Thanks again -- 101 Things you do NOT want your System Administrator to say. 94. ...and after I patched the microcode... -- Cagarruta [EMAIL PROTECTED] Linux Reg. User #66054 -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Zak.
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman pgpCuKMLd9tnI.pgp Description: PGP signature
Re: proftpd exploit??
On Thu, May 24, 2001 at 07:43:50PM +0200, Andres Herrera wrote: Hi!! I have Potato in a machine, with ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon It's the last version in security.debian.org I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. When I killed proftpd, system was almost KO. This is an old an known bug. It's fixed in the CVS tree and the current unstable Version. Have a look at the bugtracking System at www.proftpd.org Any solution?? There are a few PathDeny filters out to check this and other Versions of this Bug. The other solution is to upgrade to the very stable unstable version ;-) Sven -- Subject: Re: woody hanging WRT subject. $ apt-get install viagra ;-) [Karsten M. Self in debian-user]
Re: proftpd exploit??
There was a discussion on this on the proftpd mailing list. Go to www.proftpd.org and check the archives. If I can dredge the answer up from old saved email I'll post here. You might also want to join that mailing list for help on this and future issues. At 07:15 PM 5/24/2001 +0100, Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: proftpd exploit??
Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? Or a DenyFilter of \*.*/ as is recommended on the proftpd.org web site. http://www.proftpd.org/critbugs.html -- Jamie Heilman http://audible.transient.net/~jamie/ ...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity... -Rimmer
Re: proftpd exploit??
Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: I've tried to exploit it by login and sending: ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ and suddenly it began eating memory and getting slow all the system. ... Any solution?? Resource limits on the ftp server process? what about PathDenyFilter? robt
Re: proftpd exploit??
Hi!! Thanks to everybody (and sorry for my english 0:) ) I've choosed the DenyFilter option and everything goes OK again :- The user just get and Forbidden command argument message. ... and certainly I'm subcribing my account to the proftpd mailing list ;-) Thanks again -- 101 Things you do NOT want your System Administrator to say. 94. ...and after I patched the microcode... -- Cagarruta [EMAIL PROTECTED] Linux Reg. User #66054 --
