>But I guess the cobalt team will patch the >source code and then put the patch on the cobalt >site,
Agreed! >easy no need to panic and disable your ftp. Regardless of hair splitting (exploit, not exploit) -the fact remains, one of my RaQ4's was brought to it's knees and all the services were unavailable for all the domain's as the machine went belly up. During the day while I'm able to baby-sit, I can always just reboot if some local kiddie (I never permit anonymous access) decides to try and play in the sandbox again. Then I can just boot their ass off the machine and charge their cc an extra $300 for breaking my AUP. You're correct, it is a local DOS attack. In the article on Security Focus, the tester notes in the debug session: active data connection opened - local : 127.0.0.1 active data connection opened - remote : 127.0.0.1 While all our logs were filled with fun issues and messages, in the secure log there's one line that clearly showed when the attack started (and matched up other stuff in the other logs). in.proftpd[11728]: connect from 127.0.0.1 Normally, it's logged as: in.proftpd[11728]: connect from local After this, things just got crazy inside little blue. Luckily, this isn't anything (yet) that one or two good reboots won't cure if caught in time. Plus as I stated before, they managed no access to the box outside of their own standard FTP account. But they did manage to crash little blue even if it took an hour or so to do.. But I got an extra $300 added to my paycheck this week as well, so all's okay.. __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
