[oclug] Question regarding being hacked
Charlie Brady
charlieb-oclug at budge.apana.org.au
Tue May 18 12:39:35 EDT 2004
On Tue, 18 May 2004, Dave Lewis wrote:
> apache 1.3.28
> proftpd Version: 1.2.9
> apache ssl Apache/1.3.28 Ben-SSL/1.52
> qmail 1.03
> courier-imap 1.6.1 ( I believe)
You don't mention what kernel you were running. Chances are that you were
running one which allowed escalation from a non-root user account to root.
proftpd 1.2.9 hasn't been reported to be remotely exploitable, but I don't
consider it to be a secure design as it always retains latent root
privileges. 1.2.9 does have a bug in CIDR access list parsing, so you
shouldn't trust it to distinguish friend from foe based on network
address.
apache and ssl have both had remotely exploitable flaws. These would give
attacker a non-root access, which could be escalated to root via kernel
flaws.
As others have said, don't do ftp. If you must, use an ftp daemon which
permanently discards root privilege as soon as possible. publicfile and
two-ftpd are two which spring to mind.
---
Charlie
More information about the OCLUG
mailing list