Topic: ProFTPD Exploit

[BuggyM]

I am running 6.1 custom iso and im getting root exploits through proftpd can someone pelase show me how to correct this issue...is there an updated RPM.

Cheers BuggyM

[BuggyM]

Anyone got any suggestions... This is an exploit to gain ROOT access.....this is not good. Is there a patch?

[Reinhold]

BuggyM,8-)

Why not show us some proof -or data- that you got "rooted"...
What is "SME 6.1 custom iso" - specify ?

(not that I want to doubt "whoisBuggyM" but... )
What is this: A warning? A search? A complaint? -sry-
http://www.proftpd.org/ seems to know nothing ...but is "proud"

Turning OFF the FTP asap isn't an option ???

In general SECURITY ISSUES OF SUCH IMPORTANCE should be addressed to support first ...
...and a public announcement made when a fix (hopefully) is available.

Yours securely
Reinhold

[BuggyM]

May  2 03:19:58 gateway proftpd[27749]: gateway.thehelpshop.org (xxx.xxx.xx.xxx[xxx.xxx.xx.xx]) - SECURITY VIOLATION: root login attempted.

Custom ISO is discussed in the forms its 6.1 with some of the contribs intergrated to save hastle....

I Have obviously disabled the ftp server but its kind of important to have ftp for my self.

There are bugs for proftp which i have found from 2003 thaty allowed root access.

How do i find out what version contribs is using.

[Anonymous]

In general SECURITY ISSUES OF SUCH IMPORTANCE should be addressed to support first ...
...and a public announcement made when a fix (hopefully) is available.

yes i could have done this but if ive had attempts im sure others have.

I thought that i would let others know. I had searched for an updated package. It might have been my fault, or there might have been a patch, for this reason i posted here befoe e-mailing support.

[BuggyM]

Just Registered.

[Souley]

Hi

May  2 03:19:58 gateway proftpd[27749]: gateway.thehelpshop.org (xxx.xxx.xx.xxx[xxx.xxx.xx.xx]) - SECURITY VIOLATION: root login attempted.

Doesn't mean login suceed
Just someone try to login has root isn't it ?

Souley

[Reinhold]

BuggyM,

RingZero is (what do you expect?) an M-Soft problem
...but not to rest the case here ...

As to SME and (possible) ProFTPD problems...
=======================================================
Go to the good old: http://www.e-smith.org/
and locate:
http://www.e-smith.org/article.php3
...for the last (?), latest(?), back-then (?) vulnerability info your found out about.

What's your version?
What do you use? -hmmh- I still do not know about "6.1" but
this could show you what you have currently running...

"rpm -qa|grep proftpd"
e-smith-proftpd-1.10.0-02
proftpd-1.2.9-es1

"locate proftpd" should (at least) find:
proftpd-1.2.9-es1.i386.rpm

Latest SME version?
ibiblio (usually up to date under "current") offers:
http://www.ibiblio.org/pub/linux/distributions/e-smith/releases/current/SRPMS/proftpd-1.2.9-es1.src.rpm

Security
http://www.proftpd.org/security.html
says:
Security
All users of ProFTPD are strongly urged to upgrade to at least ProFTPD 1.2.7p as soon as possible and preferably the most recent stable version (1.2.9).

[NOW] ...the logfile-line you show simply means "someone was rejected"... IMHO.
Go and just look at how your regular login's are recorded (like Souley already wrote ...)

Have you tried nessus http://www.nessus.org/
or chkrootkit http://www.chkrootkit.org/

HTH
Reinhold

[BuggyM]

Thankyou for the info, i might have a look a t rip wire as well when i get a chance.

I noteced the link is to a source RPM how do u compile this for SME Server.

[BuggyM]

Also i dont think it logs successful logins....Unless im missing something but i will have a look.

[BuggyM]

Ok i have a real problem.... proftpd is reporting as 1.2.9-es1 which is current so can someone please explain how the hacker attempted root access.    

Also whats the best way to update the various rpm's on the server using a progiies?

[NickR]

Ok i have a real problem.... proftpd is reporting as 1.2.9-es1 which is current so can someone please explain how the hacker attempted root access.    

*Anyone* can _attempt_ to login as anything on a public FTP server.  This isn't a bug or a security concern.  On a standard SME, root is prevented from logging in & that's what you're seeing in the logs.  Successful logins are also logged in /var/log/messages & the files they've uploaded/downloaded are in xferlog.

[raem]

Dear BuggyM

> I Have obviously disabled the ftp server but its kind of important to have ftp for my self.

ftp is inherently insecure, if you were 'really' concerned about security you would not use ftp at all !!

You can VPN to your server or ssh using winscp2 to upload and download files "securely".

Regs
Ray