Attempt to crack ftp site
| От | Daniele Orlandi |
|---|---|
| Тема | Attempt to crack ftp site |
| Дата | |
| Msg-id | 37C1CF0E.E5449E20@orlandi.com обсуждение исходный текст |
| Ответы |
Re: [MIRRORS] Attempt to crack ftp site
|
| Список | pgsql-hackers |
Hi, I've just found very suspicious directory entries in ftp.postgresql.org/pub/.incoming, for sure it's an attempt to exploit some secuirity hole to gain access to your machine or machines mirroring the FTP site. The entries seems to be here for a lot of time, but I didn't seem to see any reference about them on the mailing lists. There are nested directories that create a pathname with a shell code at the end, very suitable to overflow some stack... /ftp/pub/ftp.postgresql.org/pub/.incoming/ / / / /1À1Û°Í1À°Í1À1Û°.ÍëO1À1É^°'^þűíÍ1À^°=Í1À»ÒÑÐÿ÷Û1ɱVÎÆàù^°=^Í1ÀFF^L°óV^LÍè¬ÿÿÿ/bin/sh Entries have been last modified (on my server) at this time: drwxr-xr-x 3 ftp ftp 1024 Jul 28 20:37 ????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Please, delete the entries as soon as possible, but be careful that if the exploitable hole is in rm or mc (or whatever tool you intend to use to delete them), you could activate the exploit. A small look at the BugTRAQ archives should help you finding what tool has the hole these entries are made to exploit. Pheraps the incoming dir should be monitored a little more . Bye! -- Daniele -------------------------------------------------------------------------------Daniele Orlandi - Utility Line Italia - http://www.orlandi.comViaMezzera 29/A - 20030 - Seveso (MI) - Italy -------------------------------------------------------------------------------
В списке pgsql-hackers по дате отправления: