bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
I am sure I am not the only one... I check our servers several times per day. Every now and then when I go in, I notice the load average is above 5.00 (Normal for our servers is below 1.00 with an occasional spike above 1.00). I then see a number of proftpd processes running using PS.

Thus, I then go to

vi /var/log/messages

To view the proftpd access messages and there are many coming from the same IP # hitting each IP on our server (We have over 100 IPs) several times per second.


Jan 24 11:06:31 ns proftpd[29644]: 55.77.55.98 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:31 ns proftpd[29645]: 55.77.55.99 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:32 ns proftpd[29646]: 55.77.55.100 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:33 ns proftpd[29654]: 55.77.55.101 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:35 ns proftpd[29655]: 55.77.55.102 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:38 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
Jan 24 11:06:38 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session opened.
Jan 24 11:06:50 ns proftpd[29729]: 55.77.56.119 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.
Jan 24 11:06:50 ns proftpd[29728]: 55.77.56.118 (p5087D659.dip.t-dialin.net[80.135.214.89]) - FTP session closed.


I then drop the attacking IP by using

/sbin/route add -host 80.135.214.89 reject

where as 80.135.214.89 is the offending IP.

This stops the attack.

My question to you who may read this is, how can we stop this attack automatically before it happens?

Can't you do something in CPanel Nick, to stop these attacks or at least notify the server owner if the load average spikes above a certain level?

This type of attack is a security hazard as the attack is an attempt to access the server via proftpd.

Oh, and if you think this attack has not happend to you, think again. It is very common. Check your logs

vi /var/log/messages
 

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
Nick?

FOUND THIS INFO AT
http://linux.oreillynet.com/pub/a/linux/2002/01/14/insecurities.html#pro

=========================
The ProFTPD FTP daemon is vulnerable to a denial-of-service attack and a problem in resolving some host names properly. The denial-of-service attack can be used by a remote attacker to cause ProFTPD to consume all of the CPU and memory on the server. The resolution problem is caused by ProFTPD not properly forward-resolving reverse-resolved host names, and could be used by an attacker to get around ProFTPD access control lists or to log incorrect host names.

Users should consider upgrading ProFTPD to version 1.2.5rc1 or newer.
===================

FYI& it seems Cpanel is using version 1.2.4

Sounds like we need an upgrade, eh Nick :)
 

maverick

Well-Known Member
Jan 6, 2003
68
0
156
It looks like my server was brought down by such an attack last night. Is it possible for us to upgrade Proftpd ourselves or will this really mess things up?

Mav.