[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange proftpd segfault and conntrack_ftp messages

On Wed, Jan 02, 2002 at 05:48:58PM +0100, Christian Hammers wrote:
> Hello
> 
> Does anybody know a security bug for which this could be a hint?
> (hostname and ip's faked for obvious reasons)
> 
> The server runs: 
> 	kernel 2.4.11-pre6
> 	xined_2.1.8.8p3-1.1.deb 
> 	proftpd_1.2.4-2.deb
> 
> Except from that the IP only did some normal web browsing without any
> tricks like tried cgi accesses or similar.
> 
> TIA,
> 
> -christian-
> 
> On Wed, Jan 02, 2002 at 03:45:03PM +0100, root wrote:
> > Jan  2 15:44:17 server kernel: conntrack_ftp: partial PORT 2336475143+1
> > Jan  2 15:44:18 server proftpd[3420]: server.domain (111.222.333.444[111.222.333.444]) - SECURITY VIOLATION: root login attempted. 
> > Jan  2 15:44:28 server kernel: conntrack_ftp: partial PORT 2339544491+1
> > Jan  2 15:44:31 server proftpd[3425]: server.domain (111.222.333.444[111.222.333.444]) - ProFTPD terminating (signal 11) 
> > Jan  2 15:44:31 server xinetd[17612]: EXIT: ftp status=1 pid=3425 duration=8(sec)

The SECURITY VIOLATION message is ok and only occures when somebody tries to
login with root over ftp.
The SIG 11 seems to be another problem.
Please try to reproduce this with proftpd in standalone mode with the -nd 5 flags
for debugging.

Sven

-- 
>Lamer! :)\n Lokaler Admin mit enormen Rechten[tm]
[Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf]
http://www.linux-secure.de http://www.linuxboard.de
http://www.bluephod.net http://www.disconow.de
Reply to: