I had a box attacked and comprimised last night. Looks like
wu-ftpd was the entry point. Here is the syslog.
Mar 5 20:27:59 ns6 ftpd: getpeername (in.ftpd):
Transport endpoint is not connected
Mar 5 20:27:59 ns6 inetd: ftp/tcp server failing
(looping), service terminated
[david@server david]$ rpm -q wu-ftpd
This box was only running ssh, ftp, www, and identd, so it
makes it look like ftp was to blame even more. I will
investigate this further and post any additional
We need more information on this problem. We are not aware aof any
possbilbe ecploits in the current wu-ftpd code.
Please see the following article in Bugtraq archives:
I witnessed a break-in on one patched RH-5.2 system last week.
Seems like this was the entry point.
This is an errata item for
6.0.4: wu-ftp-2.5.0-2 (no exploit but other problems)
All systems need the following commands verified
cd ~user <= tilde expansion was busted
ls foo* <= globbing was busted
Pay close attention to ftpwho on non Red Hat 6.0 systems. It might
be broke ...
tested all arch, 4.2, 5.2, 6.0 8 JUN 1999