Thread: Attempt to crack ftp site

Attempt to crack ftp site

From
Daniele Orlandi
Date:
Hi,

I've just found very suspicious directory entries in
ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some
secuirity hole to gain access to your machine or machines mirroring the FTP
site. The entries seems to be here for a lot of time, but I didn't seem to see
any reference about them on the mailing lists.

There are nested directories that create a pathname with a shell code at the
end, very suitable to overflow some stack...


/ftp/pub/ftp.postgresql.org/pub/.incoming/

/



/

/


/1À1۰̀1À°Í€1À1Û°.̀ëO1À1É^°'^þűí̀1À^°=̀1À»ÒÑÐÿ÷Û1ɱVΉƒÆàù^°=^̀1ÀˆF‰‰F^L°‰óV^L̀è¬ÿÿÿ/bin/sh

Entries have been last modified (on my server) at this time:

drwxr-xr-x   3 ftp      ftp          1024 Jul 28 20:37
?????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Please, delete the entries as soon as possible, but be careful that if the
exploitable hole is in rm or mc (or whatever tool you intend to use to delete
them), you could activate the exploit.

A small look at the BugTRAQ archives should help you finding what tool has the
hole these entries are made to exploit.

Pheraps the incoming dir should be monitored a little more .

Bye!

-- Daniele

-------------------------------------------------------------------------------Daniele Orlandi - Utility Line Italia -
http://www.orlandi.comViaMezzera 29/A - 20030 - Seveso (MI) - Italy
 
-------------------------------------------------------------------------------


Re: [MIRRORS] Attempt to crack ftp site

From
The Hermit Hacker
Date:
Hi Daniele...
I just checked the main repository, and no such file exists
there...my guess is that this is specific to your server?


On Tue, 24 Aug 1999, Daniele Orlandi wrote:

> 
> Hi,
> 
> I've just found very suspicious directory entries in
> ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some
> secuirity hole to gain access to your machine or machines mirroring the FTP
> site. The entries seems to be here for a lot of time, but I didn't seem to see
> any reference about them on the mailing lists.
> 
> There are nested directories that create a pathname with a shell code at the
> end, very suitable to overflow some stack...
> 
>
/ftp/pub/ftp.postgresql.org/pub/.incoming/������������������������������������������������������������������������������������������
>
��������������������������������������������������������������������������������������������������������������/���������������������
>
������������������������������������������������������������������������������������������������������������������������������������
>
�����������������������������������������������/������������������������������������������������������������������������������������
>
��������������������������������������������������������������������������������������������������������������������/���������������
>
������������������������������������������������������������������������������������������������������������������������������������
> ���������������/1�1۰̀1��̀1�1۰.̀�O1�1�^�'�^�ű�̀1��^�=̀1��������1ɱVΉ����^�=�^̀1��F��F^L�����V^L̀�����/bin/sh
> 
> Entries have been last modified (on my server) at this time:
> 
> drwxr-xr-x   3 ftp      ftp          1024 Jul 28 20:37
> ?????????????????????????????????????????????????????????????????????????????
>
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
> 
> Please, delete the entries as soon as possible, but be careful that if the
> exploitable hole is in rm or mc (or whatever tool you intend to use to delete
> them), you could activate the exploit.
> 
> A small look at the BugTRAQ archives should help you finding what tool has the
> hole these entries are made to exploit.
> 
> Pheraps the incoming dir should be monitored a little more .
> 
> Bye!
> 
> -- 
>  Daniele
> 
> -------------------------------------------------------------------------------
>  Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
>  Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
> -------------------------------------------------------------------------------
> 
> ************
> 

Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
Systems Administrator @ hub.org 
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org