Security Incidents mailing list archives
Possible crack attempt against ProFTPD or a DoS?
From: "Steven J. Hill" <sjhill () cotw com>
Date: Wed, 7 Feb 2001 14:09:58 -0600
Greetings. I had been away from my server for a couple of days and went into my incoming FTP directory and discovered the following: /data/ftp/incoming$ ls -al total 24 drwxr-xr-x 3 ftp ftp 4096 Feb 4 16:46 Tagged drwx-wx-wt 6 root root 4096 Feb 7 10:23 . drwxr-xr-x 7 root root 4096 Feb 7 10:23 .. drwxr-xr-x 2 ftp ftp 4096 Feb 4 16:51 tAGGED drwxr-xr-x 2 ftp ftp 4096 Feb 3 11:53 tagged drwxr-xr-x 2 ftp ftp 4096 Feb 3 14:13 tagged by Kyle21 Here I see how much space these take up: /data/ftp/incoming$ du -sc * 322728 Tagged 4 tAGGED 4 tagged 4 tagged by Kyle21 322740 total Three of the directories are empty, the other one has a complete path of: "/data/ftp/incoming/ Tagged/by/The CriMiNaL/FiLLed BY /The CriMiNaL/&/DoMiNique" I then do a 'ls -al *' and get: 1000 arms disk 2: total 185808 drwxr-xr-x 2 ftp ftp 4096 Feb 5 05:44 . drwxr-xr-x 4 ftp ftp 4096 Feb 5 02:07 .. -rw-r--r-- 1 ftp ftp 19000000 Feb 5 02:28 1000 arms disk2.r00 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 02:49 1000 arms disk2.r01 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 03:09 1000 arms disk2.r02 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 03:29 1000 arms disk2.r03 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 03:49 1000 arms disk2.r04 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 04:09 1000 arms disk2.r05 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 04:29 1000 arms disk2.r06 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 04:49 1000 arms disk2.r07 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 05:09 1000 arms disk2.r08 -rw-r--r-- 1 ftp ftp 19000000 Feb 5 05:29 1000 arms disk2.r09 darstone 001 to 007: total 136900 drwxr-xr-x 2 ftp ftp 4096 Feb 5 02:06 . drwxr-xr-x 4 ftp ftp 4096 Feb 5 02:07 .. -rw-r--r-- 1 ftp ftp 20000000 Feb 5 02:01 kal-drks.001ok -rw-r--r-- 1 ftp ftp 20000000 Feb 4 18:55 kal-drks.002 -rw-r--r-- 1 ftp ftp 20000000 Feb 4 19:20 kal-drks.003 -rw-r--r-- 1 ftp ftp 20000000 Feb 4 19:41 kal-drks.004 -rw-r--r-- 1 ftp ftp 20000000 Feb 4 20:06 kal-drks.005 -rw-r--r-- 1 ftp ftp 20000000 Feb 4 20:30 kal-drks.006 -rw-r--r-- 1 ftp ftp 20000000 Feb 4 21:01 kal-drks.007 Fortunately I run Tripwire regularly and discovered that no files were changed or replaced. I was using the following: Tripwire v1.3 ProFTPD v1.2.0rc2 Linux-2.2.18 kernel RedHat 6.2 Time is synchronized with NTPD. I am UTC-0600 in case there was a bunch of these happening to other people. I promptly went and installed the latest ProFTPD v1.2.0rc3 as well as changing the rule sets in the configuration to prevent creating of directories and a few other rules for the 'incoming' directory. I also ran 'file' on all of these files to see what they were: 1000 arms disk 2/1000 arms disk2.r00: RAR archive data 1000 arms disk 2/1000 arms disk2.r01: RAR archive data 1000 arms disk 2/1000 arms disk2.r02: RAR archive data 1000 arms disk 2/1000 arms disk2.r03: RAR archive data 1000 arms disk 2/1000 arms disk2.r04: RAR archive data 1000 arms disk 2/1000 arms disk2.r05: RAR archive data 1000 arms disk 2/1000 arms disk2.r06: RAR archive data 1000 arms disk 2/1000 arms disk2.r07: RAR archive data 1000 arms disk 2/1000 arms disk2.r08: RAR archive data 1000 arms disk 2/1000 arms disk2.r09: RAR archive data darstone 001 to 007/kal-drks.001ok: RAR archive data darstone 001 to 007/kal-drks.002: RAR archive data darstone 001 to 007/kal-drks.003: RAR archive data darstone 001 to 007/kal-drks.004: RAR archive data darstone 001 to 007/kal-drks.005: RAR archive data darstone 001 to 007/kal-drks.006: RAR archive data darstone 001 to 007/kal-drks.007: RAR archive data I have spent enough time this morning and afternoon performing audits and such. It appears that I did not have any compromise, but it looks like somebody was preparing to do something and/or trying to fill up my disk partition. Any insight from people would be appreciated. -Steve -- Steven J. Hill - Embedded SW Engineer Public Key: 'finger sjhill () mail cotw com' FPR1: E124 6E1C AF8E 7802 A815 FPR2: 7D72 829C 3386 4C4A E17D
Current thread:
- Possible crack attempt against ProFTPD or a DoS? Steven J. Hill (Feb 07)
- Re: Possible crack attempt against ProFTPD or a DoS? Jose Nazario (Feb 07)
- Re: Possible crack attempt against ProFTPD or a DoS? Steven J. Hill (Feb 07)
- Re: Possible crack attempt against ProFTPD or a DoS? Jose Nazario (Feb 07)