[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP

Subject: Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP
From: "Paul Harvey" <paul@xxxxxxxxxxxxx>
Date: Sat, 29 Sep 2001 20:28:09 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

The first strange thing I found was an e-mail from root as:
swatch_service_body_ahttp

Then I got this message:  I had a directory on the home volume that I did
not create.
------------------
cain

is very near or over the disk space limit allocated on the Cobalt server.
Once the quota limit is reached, no more data can be stored.  Consider
moving
some data to another location or increasing the limit.

Quota Limit:  0.00 MB
Quota Used:  1.29 MB
Percent Used:  129 %
-------------------

Then I got this:  The total sites usage is around 507Mb.

-------------------
is getting very close to full.  This is very dangerous for the server
and can cause unexpected errors to occur.  You either need to move some
files to another storage device and delete them from the Cobalt server
or delete them altogether.  Consult the documentation for help adding
storage to your Cobalt server.

Total disk space:  17259.48 MB
Free disk space:  539.51 MB
Percent Used:  96 %
------------------------------

I looked at the tmp file and found this entry:

---x--x--x 1 webmaster root  15168 Sep 17 18.23 SDI-proftp

-------------------------------

I then exported all the sites and got out the restore disk.

I am not an expert on hacking and can only make assumptions unless I can get
help.

Thanks for your interest.

Paul Harvey

----- Original Message -----
From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Saturday, September 29, 2001 4:30 PM
Subject: Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP


> Hi Paul,
>
> > I could not find a direct e-mail to tell Sun/Cobalt about my hack.
> > Although I have all the security patches in place, including the
'Security:
> > proftpd Update 1.0.1' they got in using 'SDI linux remote exploit for
> > ProFTP'
> >
> > I have traced the hack to a Brazilian site which is freely available for
> > download.  I can let Cobalt have the address if they do not already know
> > it.
>
> It appears that this particular exploit has been around since September
1999.
> The script in question works for ProFTPd 1.2.0. But as far as I understand
it
> the vulnerability in question should have been fixed in ProFTPD 1.2.0rc3.
>
> A Cobalt with all patches in place should have proftpd-1.2.2rc1-C2, so I
> wonder how you came to the conclusion that you've been hacked this way?
>
> I'll compile the exploit and will run it against my own machine for a
> look-see, though.
>
> --
>
> With best regards,
>
> Michael Stauber
> SOLARSPEED.NET
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] Hacked by SDI linux remote exploit for ProFTP
  - From: Paul Harvey
- Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP
  - From: Michael Stauber

Prev by Date: Re: [cobalt-security] - not issue MAIL/EXPN/VRFY/ETRN during connection to M
Next by Date: Re: [cobalt-security] Attempted inside job. A report.
Previous by thread: Re: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP
Next by thread: [cobalt-security] Hacked by SDI linux remote exploit for ProFTP

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index