Package: proftpd-basic Version: 1.3.3a-5 Hi,
My server just got rooted and what I've done for now, to dig into what could have been the leak, points to proftpd, mod_facl in particular. I won't have a way to dig further until this evening (UTC+1 local time), but it is a testing(squeeze) debian almost up to date with only ssh, apache and proftpd available from the outside. Here is the logcheck notification that lead me to think mod_facl is guilty: Nov 14 05:55:50 carmgate useradd[27810]: new group: name=psadmin, GID=1002 Nov 14 05:55:50 carmgate useradd[27810]: new user: name=psadmin, UID=1002, GID=1002, home=/home/psadmin, shell=/bin/sh Nov 14 05:55:50 carmgate proftpd[9638]: error: duplicate fs paths not allowed: '/' Nov 14 05:55:50 carmgate proftpd[9638]: mod_facl/0.4: error registering 'facl' FS: Operation not permitted Nov 14 05:55:50 carmgate proftpd[9638]: mod_dso/0.5: module 'mod_facl.c' failed to initialize Nov 14 05:55:50 carmgate proftpd[9638]: Fatal: LoadModule: error loading module 'mod_facl.c': Operation not permitted on line 86 of '/etc/proftpd/modules.conf' After this, I ve had a tiger notification that might show other vulnerability (but on those one, I could be the guilty one): # Performing check of user accounts... NEW: --WARN-- [acc006w] Login ID userx's home directory (/tmp) has world write access. # Performing check of passwd files... NEW: --WARN-- [pass002w] UID 0 exists multiple times (2) in /etc/passwd. NEW: --WARN-- [pass002w] UID 9 exists multiple times (2) in /etc/passwd. NEW: --WARN-- [pass017w] Login ID default has uid == 0. # Checking the format of passwd and group files. NEW: --FAIL-- [pass009f] Login default has a group id of 1 which should be reserved for bin or daemon. NEW: --FAIL-- [pass009f] Login default has a user id of 0 which should be reserved for root NEW: --FAIL-- [pass009f] Login default has an unusual password content. NEW: --FAIL-- [pass009f] Login userx has an unusual password content. NEW: --WARN-- [pass002w] File /etc/passwd has duplicate user ids: NEW: default 0 root 0 news 9 userx 9 I dont know if the vulnerability in proftpd is a new one but I found no trace of such a thing by googling or browsing proftpd or debian bug trackers, so I assume I am one of the lucky first to encounter this (or else, I am just not good enough at finding bugs on trackers). I'll add information to the bug as I get them as soon as I can log on the server. Best regards, Carm -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
