Runaway ProFTP?

Grant Peel gpeel at thenetnow.com
Sat Dec 11 04:53:12 UTC 2010 

----- Original Message ----- 
From: "Jerry Bell" <jerry at nrdx.com>
To: <freebsd-questions at freebsd.org>
Sent: Friday, December 10, 2010 4:47 PM
Subject: Re: Runaway ProFTP?


>I have been having this happen a few times per week for the past few weeks. 
>I believe it is caused by someone attacking proftpd.  I noticed today that 
>there is an updated version - 1.3.3c that fixes a vulnerability that they 
>may have been trying to exploit.
>
> When I looked at the process list, I would see around 20 proftpd's, each 
> with a high amount of CPU used, and connected to a specific IP.  I'd 
> firewall off those IPs and kill off proftpd/restart.  Knock on wood, I 
> have not had that happen since upgrading to 1.3.3c, but that may just be 
> because no one has tried again yet.
>
> Jerry
> On 12/10/2010 4:39 PM, Ryan Coleman wrote:
>> Does anyone have any ideas?
>>
>> On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote:
>>
>>> Dear list,
>>>
>>> Has anyone else had experience with ProFTP 1.3.3a running away with 
>>> processes? I installed it about 2 months ago with a new server build and 
>>> over the course of the last three weeks I've had to forcibly kill, wait 
>>> and restart the service every one-to-three days and sucking up between 
>>> 20% and 80% of my system resources.
>>>
>>> I've attempted to change the logging in hopes to track down what is 
>>> causing the problems but I have not been successful. Additionally it 
>>> won't connect after a restart through Filezilla but using Terminal on my 
>>> MBP it will connect in the CLI.
>>>
>>> It's not the end of the world (for me) but it is for my staff when they 
>>> have to upload large numbers of photos.
>>>
>>> Thanks,
>>> Ryan
>>>
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to 
>>> "freebsd-questions-unsubscribe at freebsd.org"
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to 
>> "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>

Indeed, this Proftpd 1.3.3a vulnerability is exactly what my post on 
upgrading a single port is all about. I can say for a fact that the botnets 
are trying to use the vulnerability and that you are quite correct that the 
CPU /  ZOMBIE processes are exploit related.

I just upgraded today and so far so good.

\FYI for anyone that is following my thread on updating one single port: I 
must have a somwhat busted installation. Using port upgrade failed ... sorry 
I did not remember to keep the output, but, I was able to download the 
source from proftpd.org and install it from scratch.

-Grant

More information about the freebsd-questions mailing list