Skip site navigation (1) Skip section navigation (2)

Attempt to crack ftp site

From: Daniele Orlandi <daniele(at)orlandi(dot)com>
To: pgsql-hackers(at)postgreSQL(dot)org, pgsql-mirrors(at)postgreSQL(dot)org
Subject: Attempt to crack ftp site
Date: 1999-08-23 22:45:34
Message-ID: 37C1CF0E.E5449E20@orlandi.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Hi,

I've just found very suspicious directory entries in
ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some
secuirity hole to gain access to your machine or machines mirroring the FTP
site. The entries seems to be here for a lot of time, but I didn't seem to see
any reference about them on the mailing lists.

There are nested directories that create a pathname with a shell code at the
end, very suitable to overflow some stack...

/ftp/pub/ftp.postgresql.org/pub/.incoming/
/

/
/

/1À1۰̀1À°Í€1À1Û°.̀ëO1À1É^°'^þűí̀1À^°=̀1À»ÒÑÐÿ÷Û1ɱVΉƒÆàù^°=^̀1ÀˆF‰‰F^L°‰óV^L̀è¬ÿÿÿ/bin/sh

Entries have been last modified (on my server) at this time:

drwxr-xr-x   3 ftp      ftp          1024 Jul 28 20:37
?????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Please, delete the entries as soon as possible, but be careful that if the
exploitable hole is in rm or mc (or whatever tool you intend to use to delete
them), you could activate the exploit.

A small look at the BugTRAQ archives should help you finding what tool has the
hole these entries are made to exploit.

Pheraps the incoming dir should be monitored a little more .

Bye!

-- 
 Daniele

-------------------------------------------------------------------------------
 Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
 Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
-------------------------------------------------------------------------------

Responses

pgsql-hackers by date

Next:From: The Hermit HackerDate: 1999-08-23 23:20:13
Subject: Re: [MIRRORS] Attempt to crack ftp site
Previous:From: Tom LaneDate: 1999-08-23 15:31:23
Subject: Re: [HACKERS] ERROR: pull_var_clause: Cannot handle node type 108

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group