Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Possible compromised service
  • From: John Bland <shrike@xxxxxxxxxxxxx>
  • Date: Thu, 12 Jul 2001 01:11:43 +0100 (BST)
  • Message-id: <Pine.LNX.4.31.0107120108040.3036-100000@xxxxxxxxxxxxxxxxxxx>

Hi,

A German warez group (from what I have been able to track down) has been
uploading files to our server.

The problem is that they've been appearing in our ftp incoming directory
*but not through our ftp daemon*. Any such connections would have logged
and they haven't been.

Neither were any ftpd processes seen running at a time when files were
actively being uploaded.

This (to my untrained eye) points to a compromised network service of some
description.

First things first is this the right place to discuss such things or would
there be somewhere more relavent?

I'm running SuSE 7.1 with a self compiled 2.4.2 kernel, and running apache
1.3.19, proftpd 1.2.2rc2, openssh 2.5.1p1, telnet, postfix-20010228pl03-9,
qpopper-3.1.2, nfs-2.2, pidentd 3.1a17, samba 2.0.10, lprng 3.7.4,
netatalk 1.4.99, portmap 5beta, XFree86 4.0.2 + kdm/kde2 2.1.1. Some of which
being compiled from 7.2ftp source rpms but the same exploit was taking place
with standard 7.1ftp.

As I'm running SuSE packages which have no known exploits that I can see
this is worrying for me and a potential worry for other SuSE users.

I've spent all day on a wild goose chase but hopefully tomorrow I'll be
able to find more information (I'm tcpdumping all network traffic atm, so
it just needs correlating the time files are uploaded with the traffic
going on at the time, a lengthy process on a busy server ;0).

Any help will be greatly appreciated,
John Bland

--
John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin
Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group
http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University
"Hey, I wonder how much meat you get on a womble?" -- Eddie


< Previous Next >
Follow Ups