RE: [d-security] RE: strange proftpd segfault and conntrack_ftp messages
ahhh ok, I should have read that. I missed it. -Original Message- From: Christian Hammers [mailto:[EMAIL PROTECTED] Sent: Thursday, January 03, 2002 11:50 AM To: debian-security@lists.debian.org Subject: Re: [d-security] RE: strange proftpd segfault and conntrack_ftp messages On Thu, Jan 03, 2002 at 11:44:49AM -0500, Gary MacDougall wrote: > Right, and I think its strange that the parent process felt the need > to kill the child process. It might be justified if the child seg'd > or died, but i thought xinetd handled this with more grace than say > inetd... just curious, thats all. No, no, xinetd didn't killed the proftpd process. It just started it, then realized that it's child just died, and then saved the pid number and duration time for debugging reasons in the syslog as it couldn't do more. ProFTPD terminating (signal 11) xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001
Re: [d-security] Re: strange proftpd segfault and conntrack_ftp messages
On Thu, Jan 03, 2002 at 04:47:29PM +, Mark Lowes wrote: > > > I find it interesting that the seg fault happened, then xinetd reported it > > > failed. > > Can you replicate the failure / segv in standalone mode? Sadly not and the IP belongs a /16 network from UUNet so nearly no chance to simply ask someone what he did. I now have ngrep and tcpdump running in case it happens again. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
Re: [d-security] RE: strange proftpd segfault and conntrack_ftp messages
On Thu, Jan 03, 2002 at 11:44:49AM -0500, Gary MacDougall wrote: > Right, and I think its strange that the parent process felt the need > to kill the child process. It might be justified if the child seg'd > or died, but i thought xinetd handled this with more grace than say > inetd... just curious, thats all. No, no, xinetd didn't killed the proftpd process. It just started it, then realized that it's child just died, and then saved the pid number and duration time for debugging reasons in the syslog as it couldn't do more. ProFTPD terminating (signal 11) xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
Re: strange proftpd segfault and conntrack_ftp messages
On Thu, 2002-01-03 at 16:33, Christian Hammers wrote: > On Thu, Jan 03, 2002 at 11:31:38AM -0500, Gary MacDougall wrote: > > I find it interesting that the seg fault happened, then xinetd reported it > > failed. Can you replicate the failure / segv in standalone mode? Mark
RE: strange proftpd segfault and conntrack_ftp messages
Right, and I think its strange that the parent process felt the need to kill the child process. It might be justified if the child seg'd or died, but i thought xinetd handled this with more grace than say inetd... just curious, thats all. g. -Original Message- From: Christian Hammers [mailto:[EMAIL PROTECTED] Sent: Thursday, January 03, 2002 11:34 AM To: Gary MacDougall Cc: Sven Hoexter; debian-security@lists.debian.org Subject: Re: strange proftpd segfault and conntrack_ftp messages On Thu, Jan 03, 2002 at 11:31:38AM -0500, Gary MacDougall wrote: > I find it interesting that the seg fault happened, then xinetd reported it > failed. xinetd was proftpd's daddy: ServerType inetd bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001
Re: strange proftpd segfault and conntrack_ftp messages
On Thu, Jan 03, 2002 at 11:31:38AM -0500, Gary MacDougall wrote: > I find it interesting that the seg fault happened, then xinetd reported it > failed. xinetd was proftpd's daddy: ServerType inetd bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
RE: strange proftpd segfault and conntrack_ftp messages
I find it interesting that the seg fault happened, then xinetd reported it failed. I wonder if its not proftp, but xinet... just a thought. g. -Original Message- From: Sven Hoexter [mailto:[EMAIL PROTECTED] Sent: Thursday, January 03, 2002 5:24 AM To: debian-security@lists.debian.org Cc: Christian Hammers Subject: Re: strange proftpd segfault and conntrack_ftp messages On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote: > Hello > > Does anybody know a security bug for which this could be a hint? > (hostname and ip's faked for obvious reasons) > > The server runs: > kernel 2.4.11-pre6 > xined_2.1.8.8p3-1.1.deb > proftpd_1.2.4-2.deb > > Except from that the IP only did some normal web browsing without any > tricks like tried cgi accesses or similar. > > TIA, > > -christian- > > On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote: > > Jan 2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1 > > Jan 2 15:44:18 server proftpd[3420]: server.domain (111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login attempted. > > Jan 2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1 > > Jan 2 15:44:31 server proftpd[3425]: server.domain (111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) > > Jan 2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) The SECURITY VIOLATION message is ok and only occures when somebody tries to login with root over ftp. The SIG 11 seems to be another problem. Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags for debugging. Sven -- >Lamer! :)\n Lokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001
RE: [d-security] RE: strange proftpd segfault and conntrack_ftp messages
ahhh ok, I should have read that. I missed it. -Original Message- From: Christian Hammers [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: [d-security] RE: strange proftpd segfault and conntrack_ftp messages On Thu, Jan 03, 2002 at 11:44:49AM -0500, Gary MacDougall wrote: > Right, and I think its strange that the parent process felt the need > to kill the child process. It might be justified if the child seg'd > or died, but i thought xinetd handled this with more grace than say > inetd... just curious, thats all. No, no, xinetd didn't killed the proftpd process. It just started it, then realized that it's child just died, and then saved the pid number and duration time for debugging reasons in the syslog as it couldn't do more. ProFTPD terminating (signal 11) xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: strange proftpd segfault and conntrack_ftp messages
On Thu, Jan 03, 2002 at 04:47:29PM +, Mark Lowes wrote: > > > I find it interesting that the seg fault happened, then xinetd reported it > > > failed. > > Can you replicate the failure / segv in standalone mode? Sadly not and the IP belongs a /16 network from UUNet so nearly no chance to simply ask someone what he did. I now have ngrep and tcpdump running in case it happens again. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] RE: strange proftpd segfault and conntrack_ftp messages
On Thu, Jan 03, 2002 at 11:44:49AM -0500, Gary MacDougall wrote: > Right, and I think its strange that the parent process felt the need > to kill the child process. It might be justified if the child seg'd > or died, but i thought xinetd handled this with more grace than say > inetd... just curious, thats all. No, no, xinetd didn't killed the proftpd process. It just started it, then realized that it's child just died, and then saved the pid number and duration time for debugging reasons in the syslog as it couldn't do more. ProFTPD terminating (signal 11) xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange proftpd segfault and conntrack_ftp messages
On Thu, 2002-01-03 at 16:33, Christian Hammers wrote: > On Thu, Jan 03, 2002 at 11:31:38AM -0500, Gary MacDougall wrote: > > I find it interesting that the seg fault happened, then xinetd reported it > > failed. Can you replicate the failure / segv in standalone mode? Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: strange proftpd segfault and conntrack_ftp messages
Right, and I think its strange that the parent process felt the need to kill the child process. It might be justified if the child seg'd or died, but i thought xinetd handled this with more grace than say inetd... just curious, thats all. g. -Original Message- From: Christian Hammers [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 11:34 AM To: Gary MacDougall Cc: Sven Hoexter; [EMAIL PROTECTED] Subject: Re: strange proftpd segfault and conntrack_ftp messages On Thu, Jan 03, 2002 at 11:31:38AM -0500, Gary MacDougall wrote: > I find it interesting that the seg fault happened, then xinetd reported it > failed. xinetd was proftpd's daddy: ServerType inetd bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange proftpd segfault and conntrack_ftp messages
On Thu, Jan 03, 2002 at 11:31:38AM -0500, Gary MacDougall wrote: > I find it interesting that the seg fault happened, then xinetd reported it > failed. xinetd was proftpd's daddy: ServerType inetd bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: strange proftpd segfault and conntrack_ftp messages
I find it interesting that the seg fault happened, then xinetd reported it failed. I wonder if its not proftp, but xinet... just a thought. g. -Original Message- From: Sven Hoexter [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 5:24 AM To: [EMAIL PROTECTED] Cc: Christian Hammers Subject: Re: strange proftpd segfault and conntrack_ftp messages On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote: > Hello > > Does anybody know a security bug for which this could be a hint? > (hostname and ip's faked for obvious reasons) > > The server runs: > kernel 2.4.11-pre6 > xined_2.1.8.8p3-1.1.deb > proftpd_1.2.4-2.deb > > Except from that the IP only did some normal web browsing without any > tricks like tried cgi accesses or similar. > > TIA, > > -christian- > > On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote: > > Jan 2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1 > > Jan 2 15:44:18 server proftpd[3420]: server.domain (111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login attempted. > > Jan 2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1 > > Jan 2 15:44:31 server proftpd[3425]: server.domain (111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) > > Jan 2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) The SECURITY VIOLATION message is ok and only occures when somebody tries to login with root over ftp. The SIG 11 seems to be another problem. Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags for debugging. Sven -- >Lamer! :)\n Lokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange proftpd segfault and conntrack_ftp messages
On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote: > Hello > > Does anybody know a security bug for which this could be a hint? > (hostname and ip's faked for obvious reasons) > > The server runs: > kernel 2.4.11-pre6 > xined_2.1.8.8p3-1.1.deb > proftpd_1.2.4-2.deb > > Except from that the IP only did some normal web browsing without any > tricks like tried cgi accesses or similar. > > TIA, > > -christian- > > On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote: > > Jan 2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1 > > Jan 2 15:44:18 server proftpd[3420]: server.domain > > (111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login > > attempted. > > Jan 2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1 > > Jan 2 15:44:31 server proftpd[3425]: server.domain > > (111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) > > Jan 2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 > > duration=8(sec) The SECURITY VIOLATION message is ok and only occures when somebody tries to login with root over ftp. The SIG 11 seems to be another problem. Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags for debugging. Sven -- >Lamer! :)\n Lokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de
Re: strange proftpd segfault and conntrack_ftp messages
On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote: > Hello > > Does anybody know a security bug for which this could be a hint? > (hostname and ip's faked for obvious reasons) > > The server runs: > kernel 2.4.11-pre6 > xined_2.1.8.8p3-1.1.deb > proftpd_1.2.4-2.deb > > Except from that the IP only did some normal web browsing without any > tricks like tried cgi accesses or similar. > > TIA, > > -christian- > > On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote: > > Jan 2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1 > > Jan 2 15:44:18 server proftpd[3420]: server.domain >(111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login attempted. > > Jan 2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1 > > Jan 2 15:44:31 server proftpd[3425]: server.domain >(111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) > > Jan 2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec) The SECURITY VIOLATION message is ok and only occures when somebody tries to login with root over ftp. The SIG 11 seems to be another problem. Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags for debugging. Sven -- >Lamer! :)\n Lokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]