From owner-freebsd-questions@FreeBSD.ORG Sat Dec 11 04:53:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83864106564A for ; Sat, 11 Dec 2010 04:53:12 +0000 (UTC) (envelope-from gpeel@thenetnow.com) Received: from constellation.thenetnow.com (constellation.thenetnow.com [207.112.4.14]) by mx1.freebsd.org (Postfix) with ESMTP id 58B798FC15 for ; Sat, 11 Dec 2010 04:53:11 +0000 (UTC) Received: from hpeel.ody.ca ([216.240.12.2] helo=GRANTLAPTOP) by constellation.thenetnow.com with esmtpa (Exim 4.69 (FreeBSD)) (envelope-from ) id 1PRHSI-0003oM-R4; Fri, 10 Dec 2010 23:53:10 -0500 Message-ID: <92849C6B31FD4396BBF187F9A6A9E655@GRANTLAPTOP> From: "Grant Peel" To: "Jerry Bell" , References: <1560F156-B3C8-4986-980C-8B6175C49683@d3photography.com><740D0EA5-1F2A-486C-B231-11F25BB3AC59@cwis.biz> <4D029FF2.9020305@nrdx.com> In-Reply-To: <4D029FF2.9020305@nrdx.com> Date: Fri, 10 Dec 2010 23:53:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.6002.18197 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18263 Cc: Subject: Re: Runaway ProFTP? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2010 04:53:12 -0000 ----- Original Message ----- From: "Jerry Bell" To: Sent: Friday, December 10, 2010 4:47 PM Subject: Re: Runaway ProFTP? >I have been having this happen a few times per week for the past few weeks. >I believe it is caused by someone attacking proftpd. I noticed today that >there is an updated version - 1.3.3c that fixes a vulnerability that they >may have been trying to exploit. > > When I looked at the process list, I would see around 20 proftpd's, each > with a high amount of CPU used, and connected to a specific IP. I'd > firewall off those IPs and kill off proftpd/restart. Knock on wood, I > have not had that happen since upgrading to 1.3.3c, but that may just be > because no one has tried again yet. > > Jerry > On 12/10/2010 4:39 PM, Ryan Coleman wrote: >> Does anyone have any ideas? >> >> On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote: >> >>> Dear list, >>> >>> Has anyone else had experience with ProFTP 1.3.3a running away with >>> processes? I installed it about 2 months ago with a new server build and >>> over the course of the last three weeks I've had to forcibly kill, wait >>> and restart the service every one-to-three days and sucking up between >>> 20% and 80% of my system resources. >>> >>> I've attempted to change the logging in hopes to track down what is >>> causing the problems but I have not been successful. Additionally it >>> won't connect after a restart through Filezilla but using Terminal on my >>> MBP it will connect in the CLI. >>> >>> It's not the end of the world (for me) but it is for my staff when they >>> have to upload large numbers of photos. >>> >>> Thanks, >>> Ryan >>> >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > Indeed, this Proftpd 1.3.3a vulnerability is exactly what my post on upgrading a single port is all about. I can say for a fact that the botnets are trying to use the vulnerability and that you are quite correct that the CPU / ZOMBIE processes are exploit related. I just upgraded today and so far so good. \FYI for anyone that is following my thread on updating one single port: I must have a somwhat busted installation. Using port upgrade failed ... sorry I did not remember to keep the output, but, I was able to download the source from proftpd.org and install it from scratch. -Grant