Ok, I've little more information unfortunately ... First, though, I checked the apt history, and what I purged was proftpd-basic:i386 (1.3.3a-4) I found no trace of the config files removed thx to the --purge flag. I could try to use some forensic tool, but I am not sure it's worth the effort if the 1.3.3a-4 package holded a proftpd version vulnerable to the IAC Remote Root issue.
In the log there were a lot (thousands) of such lines (about 5 per second) : Nov 14 05:55:34 ***.net proftpd[27792] ***.net (173.192.96.114-static.reverse.softlayer.com[::ffff:173.192.96.114]): FTP session opened. Nov 14 05:55:34 ***.net proftpd[27792] ***.net (173.192.96.114-static.reverse.softlayer.com[::ffff:173.192.96.114]): FTP session closed. And then several lines like the following (tens of each of these lines are in the log in no particular order mixed with some more session opened/session closed): Nov 14 05:55:36 ***.net proftpd[27796] ***.net (173.192.96.114-static.reverse.softlayer.com[::ffff:173.192.96.114]): client sent too-long command, ignoring Nov 14 05:55:38 ***.net proftpd[27797] ***.net (173.192.96.114-static.reverse.softlayer.com[::ffff:173.192.96.114]): ProFTPD terminating (signal 11) Last, there are these lines at precisely 05:55:50 (the moment the mod_dso and mod_facl error occured): Nov 14 05:55:50 ***.net proftpd[9638] ***.net.net: received SIGHUP -- master server reparsing configuration file Nov 14 05:55:50 ***.net proftpd[27802] ***.net.net (173.192.96.114-static.reverse.softlayer.com[::ffff:173.192.96.114]): client sent too-long command, ignoring Nov 14 05:55:52 ***.net proftpd[27802] ***.net.net (173.192.96.114-static.reverse.softlayer.com[::ffff:173.192.96.114]): FTP session closed. The last line are the last ones before the proftpd server restart at 06:26:31 (I did not restart it) Of course, in a perfect world, I'd have some time to understand what happened precisely, and investigate thouroughly, but ... Therefore, as far as I am concerned, the bug should be closed as invalid or duplicate of the "IAC ..." one. Next time, I'll keep as much information as I can ... Hopefully, there wont be a next time. Anyway, thx for your time. Carm On Mon, 15 Nov 2010 15:15:03 +0100, "Francesco P. Lovergine" <fran...@debian.org> wrote: > On Mon, Nov 15, 2010 at 03:05:17PM +0100, Jean Couillaud wrote: >> I suspected proftpd and a quick look at the proftpd logs shows a really >> great number of login attempts (bruteforce like) and several "too long >> command" thingies (I'll be more specific this evening), the one last >> being >> at the exact same time the mod_facl error and the psadmin user creation. >> You said mod_facl is not active by default. It's quite strange since I >> didn't remember modifying the proftpd configuration since I installed it >> a >> few month ago. >> > > As said, mod_facl is not active by default, and the whole content of > your /etc/proftpd directory would help to understand what happened > and if it is due to proftpd or what else. Note that you had also > installed an apache server (with possibly some webapps?). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
