Hi,
I've just found very suspicious directory entries in
ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some
secuirity hole to gain access to your machine or machines mirroring the FTP
site. The entries seems to be here for a lot of time, but I didn't seem to see
any reference about them on the mailing lists.
There are nested directories that create a pathname with a shell code at the
end, very suitable to overflow some stack...
/ftp/pub/ftp.postgresql.org/pub/.incoming/
/
/
/
/1À1Û°Í1À°Í1À1Û°.ÍëO1À1É^°'^þűíÍ1À^°=Í1À»ÒÑÐÿ÷Û1ɱVÎÆàù^°=^Í1ÀFF^L°óV^LÍè¬ÿÿÿ/bin/sh
Entries have been last modified (on my server) at this time:
drwxr-xr-x 3 ftp ftp 1024 Jul 28 20:37
?????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Please, delete the entries as soon as possible, but be careful that if the
exploitable hole is in rm or mc (or whatever tool you intend to use to delete
them), you could activate the exploit.
A small look at the BugTRAQ archives should help you finding what tool has the
hole these entries are made to exploit.
Pheraps the incoming dir should be monitored a little more .
Bye!
-- Daniele
-------------------------------------------------------------------------------Daniele Orlandi - Utility Line Italia -
http://www.orlandi.comViaMezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------
