[cobalt-security] ProFTPD Bug - may lead to a security issue

[Barbara <thebizworkers@xxxxxxxxx>]

>But I guess the cobalt team will patch the 
>source code and then put the patch on the cobalt
>site, 

Agreed!

>easy no need to panic and disable your ftp.

Regardless of hair splitting (exploit, not exploit)
-the fact remains, one of my RaQ4's was brought to
it's knees and all the services were unavailable for
all the domain's as the machine went belly up. During
the day while I'm able to baby-sit, I can always just
reboot if some local kiddie (I never permit anonymous
access) decides to try and play in the sandbox again.
Then I can just boot their ass off the machine and
charge their cc an extra $300 for breaking my AUP.

You're correct, it is a local DOS attack. In the
article on Security Focus, the tester notes in the
debug session:

active data connection opened - local : 127.0.0.1
active data connection opened - remote : 127.0.0.1

While all our logs were filled with fun issues and
messages, in the secure log there's one line that
clearly showed when the attack started (and matched up
other stuff in the other logs).

in.proftpd[11728]: connect from 127.0.0.1

Normally, it's logged as:

in.proftpd[11728]: connect from local

After this, things just got crazy inside little blue.
Luckily, this isn't anything (yet) that one or two
good reboots won't cure if caught in time. Plus as I
stated before, they managed no access to the box
outside of their own standard FTP account. But they
did manage to crash little blue even if it took an
hour or so to do.. But I got an extra $300 added to my
paycheck this week as well, so all's okay..

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com