Attempt to crack ftp site - Mailing list pgsql-hackers

From Daniele Orlandi
Subject Attempt to crack ftp site
Date
Msg-id 37C1CF0E.E5449E20@orlandi.com
Whole thread Raw
Responses Re: [MIRRORS] Attempt to crack ftp site
List pgsql-hackers
Hi,

I've just found very suspicious directory entries in
ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some
secuirity hole to gain access to your machine or machines mirroring the FTP
site. The entries seems to be here for a lot of time, but I didn't seem to see
any reference about them on the mailing lists.

There are nested directories that create a pathname with a shell code at the
end, very suitable to overflow some stack...


/ftp/pub/ftp.postgresql.org/pub/.incoming/

/



/

/


/1À1۰̀1À°Í€1À1Û°.̀ëO1À1É^°'^þűí̀1À^°=̀1À»ÒÑÐÿ÷Û1ɱVΉƒÆàù^°=^̀1ÀˆF‰‰F^L°‰óV^L̀è¬ÿÿÿ/bin/sh

Entries have been last modified (on my server) at this time:

drwxr-xr-x   3 ftp      ftp          1024 Jul 28 20:37
?????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Please, delete the entries as soon as possible, but be careful that if the
exploitable hole is in rm or mc (or whatever tool you intend to use to delete
them), you could activate the exploit.

A small look at the BugTRAQ archives should help you finding what tool has the
hole these entries are made to exploit.

Pheraps the incoming dir should be monitored a little more .

Bye!

-- Daniele

-------------------------------------------------------------------------------Daniele Orlandi - Utility Line Italia -
http://www.orlandi.comViaMezzera 29/A - 20030 - Seveso (MI) - Italy
 
-------------------------------------------------------------------------------


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: [HACKERS] ERROR: pull_var_clause: Cannot handle node type 108
Next
From: The Hermit Hacker
Date:
Subject: Re: [MIRRORS] Attempt to crack ftp site