I had a box attacked and comprimised last night. Looks like wu-ftpd was the entry point. Here is the syslog. Mar 5 20:27:59 ns6 ftpd[746]: getpeername (in.ftpd): Transport endpoint is not connected Mar 5 20:27:59 ns6 inetd[992]: ftp/tcp server failing (looping), service terminated [david@server david]$ rpm -q wu-ftpd wu-ftpd-2.4.2b18-2.1 This box was only running ssh, ftp, www, and identd, so it makes it look like ftp was to blame even more. I will investigate this further and post any additional information.
We need more information on this problem. We are not aware aof any possbilbe ecploits in the current wu-ftpd code.
Please see the following article in Bugtraq archives: http://www.geek-girl.com/bugtraq/1999_1/1075.html I witnessed a break-in on one patched RH-5.2 system last week. Seems like this was the entry point.
This is an errata item for 4.2.3: wu-ftp-2.5.0-0.4.2 5.2.2: wu-ftp-2.5.0-0.5.2 6.0.4: wu-ftp-2.5.0-2 (no exploit but other problems) All systems need the following commands verified cd ~user <= tilde expansion was busted ls foo* <= globbing was busted Pay close attention to ftpwho on non Red Hat 6.0 systems. It might be broke ...
tested all arch, 4.2, 5.2, 6.0 8 JUN 1999