From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 11 04:00:02 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B81BE106564A
	for <freebsd-questions@freebsd.org>;
	Sat, 11 Dec 2010 04:00:02 +0000 (UTC)
	(envelope-from thomas@sanbe-farma.com)
Received: from kikazu.sanbe-farma.com (kikazu.sanbe-farma.com [202.6.239.17])
	by mx1.freebsd.org (Postfix) with ESMTP id 0EAC68FC0C
	for <freebsd-questions@freebsd.org>;
	Sat, 11 Dec 2010 04:00:01 +0000 (UTC)
Received: from sanbe-farma.com (gwsanbe.sanbe-farma.com [202.6.239.18])
	by kikazu.sanbe-farma.com (8.14.3/8.14.3) with SMTP id oBB3XsT9093726
	for <freebsd-questions@freebsd.org>;
	Sat, 11 Dec 2010 10:33:54 +0700 (WIT)
	(envelope-from thomas@sanbe-farma.com)
Received: (qmail 58850 invoked by uid 98); 11 Dec 2010 10:35:19 +0700
Received: from 192.168.16.75 (thomas@192.168.16.75) by gwsanbe.sanbe-farma.com
	(envelope-from <thomas@sanbe-farma.com>,
	uid 82) with qmail-scanner-2.01 
	(clamdscan: 0.96.1/11194. spamassassin: 3.3.1.  
	Clear:RC:1(192.168.16.75):. 
	Processed in 0.02705 secs); 11 Dec 2010 03:35:19 -0000
Received: from unknown (HELO ?127.0.0.1?) (thomas@192.168.16.75)
	by gwsanbe.sanbe-farma.com with SMTP; 11 Dec 2010 10:35:19 +0700
Message-ID: <4D02F17C.3090606@sanbe-farma.com>
Date: Sat, 11 Dec 2010 10:35:24 +0700
From: Thomas Wahyudi <thomas@sanbe-farma.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
	rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <1560F156-B3C8-4986-980C-8B6175C49683@d3photography.com>	<740D0EA5-1F2A-486C-B231-11F25BB3AC59@cwis.biz>
	<4D029FF2.9020305@nrdx.com>
In-Reply-To: <4D029FF2.9020305@nrdx.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: Runaway ProFTP?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 04:00:02 -0000

On 11/12/2010 4:47, Jerry Bell wrote:
> I have been having this happen a few times per week for the past few 
> weeks.  I believe it is caused by someone attacking proftpd.  I 
> noticed today that there is an updated version - 1.3.3c that fixes a 
> vulnerability that they may have been trying to exploit.
>
> When I looked at the process list, I would see around 20 proftpd's, 
> each with a high amount of CPU used, and connected to a specific IP.  
> I'd firewall off those IPs and kill off proftpd/restart.  Knock on 
> wood, I have not had that happen since upgrading to 1.3.3c, but that 
> may just be because no one has tried again yet.
>
> Jerry

yeap, thats correct according to proftpd website news, I upgrade using 
latest port but still get attacking, I change to pure-ftpd then 
everything fine

-- 
Thanks&  Regards,

Thomas Wahyudi