Camaleón wrote: > On Fri, 26 Nov 2010 18:53:05 +0000, James Brown wrote: > >> I have a VDS under Debian Lenny, >> ~# uname -a >> Linux 2.6.18-028stab070.4-ent #1 SMP Tue Aug 17 19:03:05 MSD 2010 i686 >> GNU/Linux >> >> I have received the next messages from crondaemon: >> /etc/cron.daily/rkhunter: >> Internal error! >> Internal error! >> ................................. >> >> and from rkhunter that my server have problems which you can see in the >> attached log inculding detected SHV4 Rootkit and SHV5 Rootkit > > (...) > > JFYI, there was a recent exploit for ProFtpd: > > http://www.exploit-db.com/exploits/15449/ > > Also followed here: > > proftpd: IAC remote root exploit > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769 > > Not sure if lenny is also affected :-? > > (...)
It seems to me that it is the vulnerable version: aptitude show psa-proftpd psa-proftpd-inetd Package: psa-proftpd State: installed Automatically installed: no Version: 1.3.2e-debian5.0.build95100504.17 Priority: extra Section: non-free/mail Maintainer: <i...@parallels.com> Uncompressed Size: 4452k Depends: libc6 (>= 2.7-1), libpam0g (>= 0.99.7.1), libssl0.9.8 (>= 0.9.8f-5), xinetd Conflicts: ftp-server Replaces: ftp-server Provides: ftp-server Description: ProFTPD -- Professional FTP Server. ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This build includes Plesk mod_quota patch. Package: psa-proftpd-inetd State: installed Automatically installed: no Version: 1.3.2e-debian5.0.build95100504.17 Priority: extra Section: non-free/mail Maintainer: <i...@parallels.com> Uncompressed Size: 135k Depends: psa-proftpd, netbase Provides: psa-proftpd-start Description: ProFTPD -- Setup for inetd operation. This package is necesary to setup ProFTPD to run from inetd. > >> Found HIDDEN PID: 1431 >> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:47525) >> >> Found HIDDEN PID: 1759 >> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625) > > Check your "/var/log/auth.log" and "history" but your logs doesn't sound > very good :-( > > Greetings, > I don't see any suspicious in "history", "/var/log/auth.log" is empty, but I had earlier problems with its settins. As I can see from last, nobody connected with my server from my last connection in the beginning of this month. But I see some strange: 1) in "/var/log/apt/term.log": dpkg: `ldconfig' not found on PATH. dpkg: `start-stop-daemon' not found on PATH. dpkg: `install-info' not found on PATH. dpkg: `update-rc.d' not found on PATH. dpkg: 4 expected program(s) not found on PATH. NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin. - unusual record and making when I don't logged in the server; I have no records from that period in "/var/log/aptitude" and in "/var/log/dpkg" since my last logging and updating/upgrading packeges. 2) in the /var/log/sw-cp-server (HTTP server for SWsoft control panels ) based on lighttp according to aptitude search) - many records for the suspicious period sa the next: (connections.c.299) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol - was my server hijack through the control panel? 3) in "/var/log/tor": [notice] Received reload signal (hup). Reloading config and resetting internal state. -a) in the same time each last days; b) I didn't logged in my server and didn't sent that signal to tor-daemon. 4) in /var/log/messages I have many unexpected messages about opening and closing ftp-sessions; 5) in /var/log/messages and /var/log/debug I have many records "mod_delay/0.6: error opening DelayTable '/var/run/proftpd/proftpd.delay': No such file or directory" in the suspicios period; -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4cf039df.6060...@gmail.com
