Re: [MIRRORS] Attempt to crack ftp site

Hi Daniele...

I just checked the main repository, and no such file exists
there...my guess is that this is specific to your server?

On Tue, 24 Aug 1999, Daniele Orlandi wrote:

>
> Hi,
>
> I've just found very suspicious directory entries in
> ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some
> secuirity hole to gain access to your machine or machines mirroring the FTP
> site. The entries seems to be here for a lot of time, but I didn't seem to see
> any reference about them on the mailing lists.
>
> There are nested directories that create a pathname with a shell code at the
> end, very suitable to overflow some stack...
>
> /ftp/pub/ftp.postgresql.org/pub/.incoming/
> /
>
> /
> /
>
> /11111.O11^'^1^=11V^=^1FF^LV^L/bin/sh
>
> Entries have been last modified (on my server) at this time:
>
> drwxr-xr-x 3 ftp ftp 1024 Jul 28 20:37
> ?????????????????????????????????????????????????????????????????????????????
> ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
>
> Please, delete the entries as soon as possible, but be careful that if the
> exploitable hole is in rm or mc (or whatever tool you intend to use to delete
> them), you could activate the exploit.
>
> A small look at the BugTRAQ archives should help you finding what tool has the
> hole these entries are made to exploit.
>
> Pheraps the incoming dir should be monitored a little more .
>
> Bye!
>
> --
> Daniele
>
> -------------------------------------------------------------------------------
> Daniele Orlandi - Utility Line Italia - http://www.orlandi.com
> Via Mezzera 29/A - 20030 - Seveso (MI) - Italy
> -------------------------------------------------------------------------------
>
> ************
>

Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy(at)hub(dot)org secondary: scrappy(at){freebsd|postgresql}.org