Hiya alltogether, regarding all those proftpd-exploits and the "emergency-style"-unofficial suse-security-announcement released this evening, and a (possible) breakin at one of our systems, I have some questions to all of you - perhaps someone can help me! 1. How exactly does the exploit work? I have some c-code from BugTraq - but how is the exploit executed? Does the offending user has to log in, or is the buffer overflow in the login-checking sequence? Does he send a file, or just a command containing the overflow + shell code? I'm not too good into reading c-code, so if somebody might give me a hint...... 2. How can I identify a hijacked system? (I've been to the cert-pages, and yes we use tripwire - but is there a "quick", proftpd-crack-specific way to determine if the attempt was successful?) 3. On the probably hijacked machine we have ended up with about 650 MB of /var/log/xferlog, near the end filled up all with ".t .t .t .t .t" and so on. We also have a new (:-(( ) file in / named .t Might this be proof of being cracked? 4. Which versions of proftpd on suse are affected? In the unofficial announcement, Marc Heuse stated that users running 6.1 are not vulnerable - the eventually hijacked box is running 6.1 with proftpd-1.2.0pre1-26 ... 5. Might the root-exploit just end up as a DoS-Attack (the machine stopped running because it ran out of space on /), if it fails, pushing the xferlog beyond a normal size? I hope, someone of you might help, as tripwire says that the box is clean - but I have a bad feeling about all this... Thanks in advance, and sleep well (it's 1:32am in germany right now)... Stefan Salzer -- Qualität ist nicht was man verspricht, sondern was man hält! ======================================================================== = Wollen Sie unseren kostenlosen Newsletter "cinNews" beziehen? = = unter http://news.cin.de können Sie ihn abonnieren! = = -------------------------------------------------------------------- = = Stefan Salzer e-Mail: salt@cin.de = = Connect Internetworking Telefon: +49 6106 8498 0 = = Hauptstr. 139 Telefax: +49 6106 8498 299 = = 63110 Rodgau WWW: http://www.cin.de = = Germany = ========================================================================