1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DOS Attack via proftpd

Discussion in 'General Discussion' started by bmcpanel, Jan 24, 2003.

  1. bmcpanel

    bmcpanel Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I am sure I am not the only one... I check our servers several times per day. Every now and then when I go in, I notice the load average is above 5.00 (Normal for our servers is below 1.00 with an occasional spike above 1.00). I then see a number of proftpd processes running using PS.

    Thus, I then go to

    vi /var/log/messages

    To view the proftpd access messages and there are many coming from the same IP # hitting each IP on our server (We have over 100 IPs) several times per second.


    Jan 24 11:06:31 ns proftpd[29644]: 55.77.55.98 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:31 ns proftpd[29645]: 55.77.55.99 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:32 ns proftpd[29646]: 55.77.55.100 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:33 ns proftpd[29654]: 55.77.55.101 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:35 ns proftpd[29655]: 55.77.55.102 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:38 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
    Jan 24 11:06:38 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
    Jan 24 11:06:50 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
    Jan 24 11:06:50 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.


    I then drop the attacking IP by using

    /sbin/route add -host 80.135.214.89 reject

    where as 80.135.214.89 is the offending IP.

    This stops the attack.

    My question to you who may read this is, how can we stop this attack automatically before it happens?

    Can't you do something in CPanel Nick, to stop these attacks or at least notify the server owner if the load average spikes above a certain level?

    This type of attack is a security hazard as the attack is an attempt to access the server via proftpd.

    Oh, and if you think this attack has not happend to you, think again. It is very common. Check your logs

    vi /var/log/messages
     
  2. bmcpanel

    bmcpanel Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Nick?

    FOUND THIS INFO AT
    http://linux.oreillynet.com/pub/a/linux/2002/01/14/insecurities.html#pro

    =========================
    The ProFTPD FTP daemon is vulnerable to a denial-of-service attack and a problem in resolving some host names properly. The denial-of-service attack can be used by a remote attacker to cause ProFTPD to consume all of the CPU and memory on the server. The resolution problem is caused by ProFTPD not properly forward-resolving reverse-resolved host names, and could be used by an attacker to get around ProFTPD access control lists or to log incorrect host names.

    Users should consider upgrading ProFTPD to version 1.2.5rc1 or newer.
    ===================

    FYI& it seems Cpanel is using version 1.2.4

    Sounds like we need an upgrade, eh Nick :)
     
  3. maverick

    maverick Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    It looks like my server was brought down by such an attack last night. Is it possible for us to upgrade Proftpd ourselves or will this really mess things up?

    Mav.
     
  4. techark

    techark Member

    Joined:
    May 22, 2002
    Messages:
    292
    Likes Received:
    0
    Trophy Points:
    16
    Switch to PureFtp until the update comes.
     

Share This Page