RE: proftpd exploit??
> -Original Message- > From: Marcelo Drudi Miranda [mailto:[EMAIL PROTECTED] > Sent: 26. svibanj 2001 4:49 > To: debian-security@lists.debian.org > Subject: Re: proftpd exploit?? > > > Em Thu, 24 May 2001 20:34:56 +0200 > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? That is in fact DoS attack. ftpd process will probably start eating as much memory as available. Regards, Bojan Zdrnja
RE: proftpd exploit??
> -Original Message- > From: Marcelo Drudi Miranda [mailto:[EMAIL PROTECTED]] > Sent: 26. svibanj 2001 4:49 > To: [EMAIL PROTECTED] > Subject: Re: proftpd exploit?? > > > Em Thu, 24 May 2001 20:34:56 +0200 > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls > ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? That is in fact DoS attack. ftpd process will probably start eating as much memory as available. Regards, Bojan Zdrnja -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
[EMAIL PROTECTED] writes: > Ok. I think that this thing is considered a DoS attack... > This "attack" can be turned off adding the following line to the > configuration file (- proftpd.conf -): [EMAIL PROTECTED]:/var/log $grep ^ftp /etc/security/limits.conf ftp hardrss 8192 Even with proftpd's broken PAM support, this will work, 'cos it at least calls pam_session* (which in turn calls closelog(3)...) > Thanks to "proftpd", which someone from South Corea segfaulted for hours on end a while ago. Since then, we are running a modified linux-ftpd... -- SIGSTOP
Re: proftpd exploit??
[EMAIL PROTECTED] writes: > Ok. I think that this thing is considered a DoS attack... > This "attack" can be turned off adding the following line to the > configuration file (- proftpd.conf -): [weikusat@karfinux]:/var/log $grep ^ftp /etc/security/limits.conf ftp hardrss 8192 Even with proftpd's broken PAM support, this will work, 'cos it at least calls pam_session* (which in turn calls closelog(3)...) > Thanks to "proftpd", which someone from South Corea segfaulted for hours on end a while ago. Since then, we are running a modified linux-ftpd... -- SIGSTOP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
On Sat, May 26, 2001 at 02:49:02AM +, Marcelo Drudi Miranda wrote: > Em Thu, 24 May 2001 20:34:56 +0200 > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? > > -- Ok. I think that this thing is considered a DoS attack... This "attack" can be turned off adding the following line to the configuration file (- proftpd.conf -): --8<-- DenyFilter "\\*/" --8<-- Thanks to "proftpd", it give us a lot of configuration items and it is very flexible. That's all. Now in my language: Spanish Bien. Pienso que eso está considerado como un ataque DoS... Este ataque puede ser desactivado añadiendo la siguiente línea al fichero de configuración (- proftpd.conf -): --8<-- DenyFilter "\\*/" --8<-- Gracias a "proftpd", el nos da muchos campos de configuracion y es muy flexible.Eso es todo. -- yoros pgpvAxtc9ACZM.pgp Description: PGP signature
Re: proftpd exploit??
On Sat, May 26, 2001 at 02:49:02AM +, Marcelo Drudi Miranda wrote: > Em Thu, 24 May 2001 20:34:56 +0200 > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? > > -- Ok. I think that this thing is considered a DoS attack... This "attack" can be turned off adding the following line to the configuration file (- proftpd.conf -): --8<-- DenyFilter "\\*/" --8<-- Thanks to "proftpd", it give us a lot of configuration items and it is very flexible. That's all. Now in my language: Spanish Bien. Pienso que eso está considerado como un ataque DoS... Este ataque puede ser desactivado añadiendo la siguiente línea al fichero de configuración (- proftpd.conf -): --8<-- DenyFilter "\\*/" --8<-- Gracias a "proftpd", el nos da muchos campos de configuracion y es muy flexible.Eso es todo. -- yoros PGP signature
Re: proftpd exploit??
Matthias Richter wrote: > > Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: > > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > > Any solution?? > > > > > > > This is a exploit or a Dos atack? > > *Dos*, of course. Sorry for being inaccurate ... This is config problems... we discuss this problems in proftpd mailing lists before.. Please search the list (Jan or Feb, I don't remember) for the solutions.. :-) -- Shell Hung // // [EMAIL PROTECTED] // [EMAIL PROTECTED] // [EMAIL PROTECTED]
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias pgpxeCmb0076U.pgp Description: PGP signature
Re: proftpd exploit??
Em Thu, 24 May 2001 20:34:56 +0200
Matthias Richter <[EMAIL PROTECTED]> escreveu:
> Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM:
> [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../]
> > Any solution??
>
This is a exploit or a Dos atack?
--
| Marcelo Drudi Miranda Microelectronics Engineering Student |
| Debian GNU/Linux User Linux Registered User #177399 .zzz».|
|-//{{{}}}. |
| e-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED](( |
| Homepage: http://sim.lme.usp.br/~drudi \\ \* `> |
| \\ \ -|
\/
pgpd0AQVYqj6h.pgp
Description: PGP signature
Re: proftpd exploit??
Matthias Richter wrote: > > Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: > > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > > Any solution?? > > > > > > > This is a exploit or a Dos atack? > > *Dos*, of course. Sorry for being inaccurate ... This is config problems... we discuss this problems in proftpd mailing lists before.. Please search the list (Jan or Feb, I don't remember) for the solutions.. :-) -- Shell Hung // // [EMAIL PROTECTED] // [EMAIL PROTECTED] // [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias PGP signature
Re: proftpd exploit??
Em Thu, 24 May 2001 20:34:56 +0200
Matthias Richter <[EMAIL PROTECTED]> escreveu:
> Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM:
> [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../]
> > Any solution??
>
This is a exploit or a Dos atack?
--
| Marcelo Drudi Miranda Microelectronics Engineering Student |
| Debian GNU/Linux User Linux Registered User #177399 .zzz».|
|-//{{{}}}. |
| e-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED](( |
| Homepage: http://sim.lme.usp.br/~drudi \\ \* `> |
| \\ \ -|
\/
PGP signature
Re: proftpd exploit??
Hi!! Thanks to everybody (and sorry for my english 0:) ) I've choosed the DenyFilter option and everything goes OK again :- The user just get and "Forbidden command argument" message. ... and certainly I'm subcribing my account to the proftpd mailing list ;-) Thanks again -- 101 Things you do NOT want your System Administrator to say. 94. ...and after I patched the microcode... -- Cagarruta <[EMAIL PROTECTED]> Linux Reg. User #66054 --
Re: proftpd exploit??
Zak Kipling wrote: > > On Thu, 24 May 2001, Andres Herrera wrote: > > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > ... > > Any solution?? > > Resource limits on the ftp server process? what about PathDenyFilter? robt
Re: proftpd exploit??
Zak Kipling wrote: > On Thu, 24 May 2001, Andres Herrera wrote: > > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > ... > > Any solution?? > > Resource limits on the ftp server process? Or a DenyFilter of \*.*/ as is recommended on the proftpd.org web site. http://www.proftpd.org/critbugs.html -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer
Re: proftpd exploit??
There was a discussion on this on the proftpd mailing list. Go to www.proftpd.org and check the archives. If I can dredge the answer up from old saved email I'll post here. You might also want to join that mailing list for help on this and future issues. At 07:15 PM 5/24/2001 +0100, Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: > I've tried to exploit it by login and sending: > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > and suddenly it began eating memory and getting slow all the system. ... > Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: proftpd exploit??
On Thu, May 24, 2001 at 07:43:50PM +0200, Andres Herrera wrote: > Hi!! > > I have Potato in a machine, with > > ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon > > It's the last version in security.debian.org > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > > When I killed proftpd, system was almost KO. This is an old an known bug. It's fixed in the CVS tree and the current unstable Version. Have a look at the bugtracking System at www.proftpd.org > Any solution?? There are a few PathDeny filters out to check this and other Versions of this Bug. The other solution is to upgrade to the very stable unstable version ;-) Sven -- Subject: Re: woody hanging > WRT subject. > $ apt-get install viagra ;-) [Karsten M. Self in debian-user]
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman pgpCuKMLd9tnI.pgp Description: PGP signature
Re: proftpd exploit??
On Thu, 24 May 2001, Andres Herrera wrote: > I've tried to exploit it by login and sending: > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > and suddenly it began eating memory and getting slow all the system. ... > Any solution?? Resource limits on the ftp server process? Zak.
Re: proftpd exploit??
Hi!! Thanks to everybody (and sorry for my english 0:) ) I've choosed the DenyFilter option and everything goes OK again :- The user just get and "Forbidden command argument" message. ... and certainly I'm subcribing my account to the proftpd mailing list ;-) Thanks again -- 101 Things you do NOT want your System Administrator to say. 94. ...and after I patched the microcode... -- Cagarruta <[EMAIL PROTECTED]> Linux Reg. User #66054 -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Zak Kipling wrote: > > On Thu, 24 May 2001, Andres Herrera wrote: > > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > ... > > Any solution?? > > Resource limits on the ftp server process? what about PathDenyFilter? robt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
On Thu, May 24, 2001 at 07:43:50PM +0200, Andres Herrera wrote: > Hi!! > > I have Potato in a machine, with > > ii proftpd1.2.0pre10-2.0 Versatile, virtual-hosting FTP daemon > > It's the last version in security.debian.org > > I've tried to exploit it by login and sending: > > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > > and suddenly it began eating memory and getting slow all the system. > > When I killed proftpd, system was almost KO. This is an old an known bug. It's fixed in the CVS tree and the current unstable Version. Have a look at the bugtracking System at www.proftpd.org > Any solution?? There are a few PathDeny filters out to check this and other Versions of this Bug. The other solution is to upgrade to the very stable unstable version ;-) Sven -- Subject: Re: woody hanging > WRT subject. > $ apt-get install viagra ;-) [Karsten M. Self in debian-user] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman PGP signature
Re: proftpd exploit??
On Thu, 24 May 2001, Andres Herrera wrote: > I've tried to exploit it by login and sending: > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > and suddenly it began eating memory and getting slow all the system. ... > Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
