Security Incidents mailing list archives

Possible crack attempt against ProFTPD or a DoS?

From: "Steven J. Hill" <sjhill () cotw com>
Date: Wed, 7 Feb 2001 14:09:58 -0600
Greetings.

I had been away from my server for a couple of days and went into
my incoming FTP directory and discovered the following:

   /data/ftp/incoming$ ls -al
   total 24
   drwxr-xr-x    3 ftp      ftp          4096 Feb  4 16:46
    Tagged
   drwx-wx-wt    6 root     root         4096 Feb  7 10:23 .
   drwxr-xr-x    7 root     root         4096 Feb  7 10:23 ..
   drwxr-xr-x    2 ftp      ftp          4096 Feb  4 16:51 tAGGED
   drwxr-xr-x    2 ftp      ftp          4096 Feb  3 11:53 tagged
   drwxr-xr-x    2 ftp      ftp          4096 Feb  3 14:13 tagged by Kyle21

Here I see how much space these take up:

   /data/ftp/incoming$ du -sc *
   322728                                Tagged
   4    tAGGED
   4    tagged
   4    tagged by Kyle21
   322740       total

Three of the directories are empty, the other one has a complete path of:

   "/data/ftp/incoming/                         Tagged/by/The CriMiNaL/FiLLed BY
/The CriMiNaL/&/DoMiNique"

I then do a 'ls -al *' and get:

   1000 arms disk 2:
   total 185808
   drwxr-xr-x    2 ftp      ftp          4096 Feb  5 05:44 .
   drwxr-xr-x    4 ftp      ftp          4096 Feb  5 02:07 ..
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 02:28 1000 arms disk2.r00
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 02:49 1000 arms disk2.r01
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 03:09 1000 arms disk2.r02
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 03:29 1000 arms disk2.r03
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 03:49 1000 arms disk2.r04
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 04:09 1000 arms disk2.r05
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 04:29 1000 arms disk2.r06
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 04:49 1000 arms disk2.r07
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 05:09 1000 arms disk2.r08
   -rw-r--r--    1 ftp      ftp      19000000 Feb  5 05:29 1000 arms disk2.r09

   darstone 001 to 007:
   total 136900
   drwxr-xr-x    2 ftp      ftp          4096 Feb  5 02:06 .
   drwxr-xr-x    4 ftp      ftp          4096 Feb  5 02:07 ..
   -rw-r--r--    1 ftp      ftp      20000000 Feb  5 02:01 kal-drks.001ok
   -rw-r--r--    1 ftp      ftp      20000000 Feb  4 18:55 kal-drks.002
   -rw-r--r--    1 ftp      ftp      20000000 Feb  4 19:20 kal-drks.003
   -rw-r--r--    1 ftp      ftp      20000000 Feb  4 19:41 kal-drks.004
   -rw-r--r--    1 ftp      ftp      20000000 Feb  4 20:06 kal-drks.005
   -rw-r--r--    1 ftp      ftp      20000000 Feb  4 20:30 kal-drks.006
   -rw-r--r--    1 ftp      ftp      20000000 Feb  4 21:01 kal-drks.007

Fortunately I run Tripwire regularly and discovered that no files were
changed or replaced. I was using the following:

     Tripwire v1.3
     ProFTPD v1.2.0rc2
     Linux-2.2.18 kernel
     RedHat 6.2

Time is synchronized with NTPD. I am UTC-0600 in case there was a bunch
of these happening to other people. I promptly went and installed the
latest ProFTPD v1.2.0rc3 as well as changing the rule sets in the
configuration to prevent creating of directories and a few other
rules for the 'incoming' directory. I also ran 'file' on all of these
files to see what they were:

    1000 arms disk 2/1000 arms disk2.r00: RAR archive data
    1000 arms disk 2/1000 arms disk2.r01: RAR archive data
    1000 arms disk 2/1000 arms disk2.r02: RAR archive data
    1000 arms disk 2/1000 arms disk2.r03: RAR archive data
    1000 arms disk 2/1000 arms disk2.r04: RAR archive data
    1000 arms disk 2/1000 arms disk2.r05: RAR archive data
    1000 arms disk 2/1000 arms disk2.r06: RAR archive data
    1000 arms disk 2/1000 arms disk2.r07: RAR archive data
    1000 arms disk 2/1000 arms disk2.r08: RAR archive data
    1000 arms disk 2/1000 arms disk2.r09: RAR archive data
    darstone 001 to 007/kal-drks.001ok:   RAR archive data
    darstone 001 to 007/kal-drks.002:     RAR archive data
    darstone 001 to 007/kal-drks.003:     RAR archive data
    darstone 001 to 007/kal-drks.004:     RAR archive data
    darstone 001 to 007/kal-drks.005:     RAR archive data
    darstone 001 to 007/kal-drks.006:     RAR archive data
    darstone 001 to 007/kal-drks.007:     RAR archive data

I have spent enough time this morning and afternoon performing
audits and such. It appears that I did not have any compromise,
but it looks like somebody was preparing to do something and/or
trying to fill up my disk partition. Any insight from people
would be appreciated.

-Steve

--
 Steven J. Hill - Embedded SW Engineer
 Public Key: 'finger sjhill () mail cotw com'
 FPR1: E124 6E1C AF8E 7802 A815
 FPR2: 7D72 829C 3386 4C4A E17D
Current thread:

Possible crack attempt against ProFTPD or a DoS? Steven J. Hill (Feb 07)
- Re: Possible crack attempt against ProFTPD or a DoS? Jose Nazario (Feb 07)
  - Re: Possible crack attempt against ProFTPD or a DoS? Steven J. Hill (Feb 07)