On Fri, 26 Nov 2010 22:51:11 +0000, James Brown wrote: > Camaleón wrote:
>> JFYI, there was a recent exploit for ProFtpd: >> >> http://www.exploit-db.com/exploits/15449/ >> >> Also followed here: >> >> proftpd: IAC remote root exploit >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602769 >> >> Not sure if lenny is also affected :-? >> >> (...) > > It seems to me that it is the vulnerable version: > aptitude show psa-proftpd psa-proftpd-inetd > Version: 1.3.2e-debian5.0.build95100504.17 Ugh :-( But I cannot find that "psa-proftpd" package in debian repos. From where did you install it? :-? >>> Found HIDDEN PID: 1759 >>> Command: proftpd: connected: 72.159.168.50 (72.159.168.50:33625) >> >> Check your "/var/log/auth.log" and "history" but your logs doesn't >> sound very good :-( >> >> > I don't see any suspicious in "history", "/var/log/auth.log" is empty, > but I had earlier problems with its settins. As I can see from last, > nobody connected with my server from my last connection in the beginning > of this month. But I see some strange: > > 1) in "/var/log/apt/term.log": > dpkg: `ldconfig' not found on PATH. > dpkg: `start-stop-daemon' not found on PATH. dpkg: `install-info' not > found on PATH. dpkg: `update-rc.d' not found on PATH. dpkg: 4 expected > program(s) not found on PATH. NB: root's PATH should usually contain > /usr/local/sbin, /usr/sbin and /sbin. - unusual record and making when I > don't logged in the server; I have no records from that period in > "/var/log/aptitude" and in "/var/log/dpkg" since my last logging and > updating/upgrading packeges. > 2) in the /var/log/sw-cp-server (HTTP > server for SWsoft control panels ) based on lighttp according to > aptitude search) - many records for the suspicious period sa the next: > (connections.c.299) SSL: 1 error:140760FC:SSL > routines:SSL23_GET_CLIENT_HELLO:unknown protocol - was my server hijack > through the control panel? > 3) in "/var/log/tor": > [notice] Received reload signal (hup). Reloading config and resetting > internal state. -a) in the same time each last days; b) I didn't logged > in my server and didn't sent that signal to tor-daemon. 4) in > /var/log/messages I have many unexpected messages about opening and > closing ftp-sessions; > 5) in /var/log/messages and /var/log/debug I have many records > "mod_delay/0.6: error opening DelayTable > '/var/run/proftpd/proftpd.delay': No such file or directory" in the > suspicios period; I'm not an expert in linux computer forensics but your logs are displaying scaring information happening in your box. Secunia reports a high impact on affected system ("security bypass, manipulation of data and system access"): http://secunia.com/advisories/42052 Maybe is time to perform clean install as Jochen suggested. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.28.12.22...@gmail.com