Results 1 to 4 of 4

Thread: DOS Attack via proftpd

  1. #1
    Registered Member bmcpanel's Avatar
    Join Date
    Jun 2002
    Posts
    546

    Default DOS Attack via proftpd

    I am sure I am not the only one... I check our servers several times per day. Every now and then when I go in, I notice the load average is above 5.00 (Normal for our servers is below 1.00 with an occasional spike above 1.00). I then see a number of proftpd processes running using PS.

    Thus, I then go to

    vi /var/log/messages

    To view the proftpd access messages and there are many coming from the same IP # hitting each IP on our server (We have over 100 IPs) several times per second.


    Jan 24 11:06:31 ns proftpd[29644]: 55.77.55.98 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:31 ns proftpd[29645]: 55.77.55.99 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:32 ns proftpd[29646]: 55.77.55.100 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:33 ns proftpd[29654]: 55.77.55.101 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:35 ns proftpd[29655]: 55.77.55.102 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:38 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
    Jan 24 11:06:38 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
    Jan 24 11:06:50 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:50 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.


    I then drop the attacking IP by using

    /sbin/route add -host 80.135.214.89 reject

    where as 80.135.214.89 is the offending IP.

    This stops the attack.

    My question to you who may read this is, how can we stop this attack automatically before it happens?

    Can't you do something in CPanel Nick, to stop these attacks or at least notify the server owner if the load average spikes above a certain level?

    This type of attack is a security hazard as the attack is an attempt to access the server via proftpd.

    Oh, and if you think this attack has not happend to you, think again. It is very common. Check your logs

    vi /var/log/messages

  2. #2
    Registered Member bmcpanel's Avatar
    Join Date
    Jun 2002
    Posts
    546

    Default Nick?

    FOUND THIS INFO AT
    http://linux.oreillynet.com/pub/a/linux/2002/01/14/insecurities.html#pro

    =========================
    The ProFTPD FTP daemon is vulnerable to a denial-of-service attack and a problem in resolving some host names properly. The denial-of-service attack can be used by a remote attacker to cause ProFTPD to consume all of the CPU and memory on the server. The resolution problem is caused by ProFTPD not properly forward-resolving reverse-resolved host names, and could be used by an attacker to get around ProFTPD access control lists or to log incorrect host names.

    Users should consider upgrading ProFTPD to version 1.2.5rc1 or newer.
    ===================

    FYI& it seems Cpanel is using version 1.2.4

    Sounds like we need an upgrade, eh Nick

  3. #3
    Registered Member
    Join Date
    Jan 2003
    Posts
    68

    Default

    It looks like my server was brought down by such an attack last night. Is it possible for us to upgrade Proftpd ourselves or will this really mess things up?

    Mav.

  4. #4
    Registered Member
    Join Date
    May 2002
    Posts
    292

    Default

    Switch to PureFtp until the update comes.

Similar Threads

  1. httpd DOS attack
    By avantec in forum Security
    Replies: 3
    Last Post: 12-17-2013, 08:33 AM
  2. DOS attack using Google+
    By audrey in forum General Discussion
    Replies: 3
    Last Post: 11-02-2013, 12:37 PM
  3. Dos attack
    By linuxprovider in forum General Discussion
    Replies: 1
    Last Post: 07-16-2007, 05:53 AM
  4. DOS Attack- Something new !
    By linux-image in forum General Discussion
    Replies: 12
    Last Post: 11-28-2005, 12:32 AM
  5. Need IMAP DOS attack help
    By FreedomNet in forum General Discussion
    Replies: 6
    Last Post: 09-03-2005, 04:56 PM
bargain