Re: Runaway ProFTP?
And it's fixed now... not sure what the deal was with portsnap but it finally worked. I appreciate all the help. -- Ryan On Dec 10, 2010, at 10:59 PM, Ryan Coleman wrote: I have not been able to get portsnap to work at all today. On Dec 10, 2010, at 10:53 PM, Grant Peel wrote: - Original Message - From: Jerry Bell je...@nrdx.com To: freebsd-questions@freebsd.org Sent: Friday, December 10, 2010 4:47 PM Subject: Re: Runaway ProFTP? I have been having this happen a few times per week for the past few weeks. I believe it is caused by someone attacking proftpd. I noticed today that there is an updated version - 1.3.3c that fixes a vulnerability that they may have been trying to exploit. When I looked at the process list, I would see around 20 proftpd's, each with a high amount of CPU used, and connected to a specific IP. I'd firewall off those IPs and kill off proftpd/restart. Knock on wood, I have not had that happen since upgrading to 1.3.3c, but that may just be because no one has tried again yet. Jerry On 12/10/2010 4:39 PM, Ryan Coleman wrote: Does anyone have any ideas? On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote: Dear list, Has anyone else had experience with ProFTP 1.3.3a running away with processes? I installed it about 2 months ago with a new server build and over the course of the last three weeks I've had to forcibly kill, wait and restart the service every one-to-three days and sucking up between 20% and 80% of my system resources. I've attempted to change the logging in hopes to track down what is causing the problems but I have not been successful. Additionally it won't connect after a restart through Filezilla but using Terminal on my MBP it will connect in the CLI. It's not the end of the world (for me) but it is for my staff when they have to upload large numbers of photos. Thanks, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Indeed, this Proftpd 1.3.3a vulnerability is exactly what my post on upgrading a single port is all about. I can say for a fact that the botnets are trying to use the vulnerability and that you are quite correct that the CPU / ZOMBIE processes are exploit related. I just upgraded today and so far so good. \FYI for anyone that is following my thread on updating one single port: I must have a somwhat busted installation. Using port upgrade failed ... sorry I did not remember to keep the output, but, I was able to download the source from proftpd.org and install it from scratch. -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Runaway ProFTP?
Grant Peel wrote: snip] \FYI for anyone that is following my thread on updating one single port: I must have a somwhat busted installation. Using port upgrade failed ... sorry I did not remember to keep the output, but, I was able to download the source from proftpd.org and install it from scratch. What I do on a fairly regular basis (usually about once a week) is the following: cd to /usr/sup - this is where I keep my supfiles and housekeeping csup -L 2 ports portsdb -uF pkgdb -u portversion This refreshes the ports tree and downloads the current matching INDEX database. Then the package database gets updated and checked and if there are no errors portversion runs to identify ports in need of update. Of course, what to do about the results is left up to the sysadmin. If I am inclined to update (usually just a portupgrade -a most of the time) I will then consult UPDATING. Preparing some kind of fallback in case of failure is a good idea for anything in production. I'm lucky enough to have an extra spare hard drive in every box to which I can do a dump immediately prior to upgrade. I also believe in test bedding stuff first. My 2 servers at home have the same services running on them as the 7 I have at work. So I run any updating on the two boxen at home first. If that is trouble free I might then do the ones at work. If not, the ones at work won't be touched. One thing I've noticed over the years is portupgrade works best when done more frequently so fewer things get upgraded at any one time. Letting a box go for 6 months and needing to update 100 things is more prone to failure. Each approach has it's pros and cons. Some shops don't want frequent updating because it is more likely to take a production system down, and that is perfectly reasonable to the point that old software doesn't have exploits. There have been a few updates to portupgrade itself lately. But there is a pretty fair chance if the command line shown above rolls all the way through with zero errors it may be taken as a good sign. Any errors at all and I would stop and find out what's wrong before moving on to actually updating anything. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Runaway ProFTP?
Does anyone have any ideas? On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote: Dear list, Has anyone else had experience with ProFTP 1.3.3a running away with processes? I installed it about 2 months ago with a new server build and over the course of the last three weeks I've had to forcibly kill, wait and restart the service every one-to-three days and sucking up between 20% and 80% of my system resources. I've attempted to change the logging in hopes to track down what is causing the problems but I have not been successful. Additionally it won't connect after a restart through Filezilla but using Terminal on my MBP it will connect in the CLI. It's not the end of the world (for me) but it is for my staff when they have to upload large numbers of photos. Thanks, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Runaway ProFTP?
I have been having this happen a few times per week for the past few weeks. I believe it is caused by someone attacking proftpd. I noticed today that there is an updated version - 1.3.3c that fixes a vulnerability that they may have been trying to exploit. When I looked at the process list, I would see around 20 proftpd's, each with a high amount of CPU used, and connected to a specific IP. I'd firewall off those IPs and kill off proftpd/restart. Knock on wood, I have not had that happen since upgrading to 1.3.3c, but that may just be because no one has tried again yet. Jerry On 12/10/2010 4:39 PM, Ryan Coleman wrote: Does anyone have any ideas? On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote: Dear list, Has anyone else had experience with ProFTP 1.3.3a running away with processes? I installed it about 2 months ago with a new server build and over the course of the last three weeks I've had to forcibly kill, wait and restart the service every one-to-three days and sucking up between 20% and 80% of my system resources. I've attempted to change the logging in hopes to track down what is causing the problems but I have not been successful. Additionally it won't connect after a restart through Filezilla but using Terminal on my MBP it will connect in the CLI. It's not the end of the world (for me) but it is for my staff when they have to upload large numbers of photos. Thanks, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Runaway ProFTP?
On 11/12/2010 4:47, Jerry Bell wrote: I have been having this happen a few times per week for the past few weeks. I believe it is caused by someone attacking proftpd. I noticed today that there is an updated version - 1.3.3c that fixes a vulnerability that they may have been trying to exploit. When I looked at the process list, I would see around 20 proftpd's, each with a high amount of CPU used, and connected to a specific IP. I'd firewall off those IPs and kill off proftpd/restart. Knock on wood, I have not had that happen since upgrading to 1.3.3c, but that may just be because no one has tried again yet. Jerry yeap, thats correct according to proftpd website news, I upgrade using latest port but still get attacking, I change to pure-ftpd then everything fine -- Thanks Regards, Thomas Wahyudi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Runaway ProFTP?
- Original Message - From: Jerry Bell je...@nrdx.com To: freebsd-questions@freebsd.org Sent: Friday, December 10, 2010 4:47 PM Subject: Re: Runaway ProFTP? I have been having this happen a few times per week for the past few weeks. I believe it is caused by someone attacking proftpd. I noticed today that there is an updated version - 1.3.3c that fixes a vulnerability that they may have been trying to exploit. When I looked at the process list, I would see around 20 proftpd's, each with a high amount of CPU used, and connected to a specific IP. I'd firewall off those IPs and kill off proftpd/restart. Knock on wood, I have not had that happen since upgrading to 1.3.3c, but that may just be because no one has tried again yet. Jerry On 12/10/2010 4:39 PM, Ryan Coleman wrote: Does anyone have any ideas? On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote: Dear list, Has anyone else had experience with ProFTP 1.3.3a running away with processes? I installed it about 2 months ago with a new server build and over the course of the last three weeks I've had to forcibly kill, wait and restart the service every one-to-three days and sucking up between 20% and 80% of my system resources. I've attempted to change the logging in hopes to track down what is causing the problems but I have not been successful. Additionally it won't connect after a restart through Filezilla but using Terminal on my MBP it will connect in the CLI. It's not the end of the world (for me) but it is for my staff when they have to upload large numbers of photos. Thanks, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Indeed, this Proftpd 1.3.3a vulnerability is exactly what my post on upgrading a single port is all about. I can say for a fact that the botnets are trying to use the vulnerability and that you are quite correct that the CPU / ZOMBIE processes are exploit related. I just upgraded today and so far so good. \FYI for anyone that is following my thread on updating one single port: I must have a somwhat busted installation. Using port upgrade failed ... sorry I did not remember to keep the output, but, I was able to download the source from proftpd.org and install it from scratch. -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Runaway ProFTP?
I have not been able to get portsnap to work at all today. On Dec 10, 2010, at 10:53 PM, Grant Peel wrote: - Original Message - From: Jerry Bell je...@nrdx.com To: freebsd-questions@freebsd.org Sent: Friday, December 10, 2010 4:47 PM Subject: Re: Runaway ProFTP? I have been having this happen a few times per week for the past few weeks. I believe it is caused by someone attacking proftpd. I noticed today that there is an updated version - 1.3.3c that fixes a vulnerability that they may have been trying to exploit. When I looked at the process list, I would see around 20 proftpd's, each with a high amount of CPU used, and connected to a specific IP. I'd firewall off those IPs and kill off proftpd/restart. Knock on wood, I have not had that happen since upgrading to 1.3.3c, but that may just be because no one has tried again yet. Jerry On 12/10/2010 4:39 PM, Ryan Coleman wrote: Does anyone have any ideas? On Dec 9, 2010, at 3:12 PM, Ryan Coleman wrote: Dear list, Has anyone else had experience with ProFTP 1.3.3a running away with processes? I installed it about 2 months ago with a new server build and over the course of the last three weeks I've had to forcibly kill, wait and restart the service every one-to-three days and sucking up between 20% and 80% of my system resources. I've attempted to change the logging in hopes to track down what is causing the problems but I have not been successful. Additionally it won't connect after a restart through Filezilla but using Terminal on my MBP it will connect in the CLI. It's not the end of the world (for me) but it is for my staff when they have to upload large numbers of photos. Thanks, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Indeed, this Proftpd 1.3.3a vulnerability is exactly what my post on upgrading a single port is all about. I can say for a fact that the botnets are trying to use the vulnerability and that you are quite correct that the CPU / ZOMBIE processes are exploit related. I just upgraded today and so far so good. \FYI for anyone that is following my thread on updating one single port: I must have a somwhat busted installation. Using port upgrade failed ... sorry I did not remember to keep the output, but, I was able to download the source from proftpd.org and install it from scratch. -Grant ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Runaway ProFTP?
Dear list, Has anyone else had experience with ProFTP 1.3.3a running away with processes? I installed it about 2 months ago with a new server build and over the course of the last three weeks I've had to forcibly kill, wait and restart the service every one-to-three days and sucking up between 20% and 80% of my system resources. I've attempted to change the logging in hopes to track down what is causing the problems but I have not been successful. Additionally it won't connect after a restart through Filezilla but using Terminal on my MBP it will connect in the CLI. It's not the end of the world (for me) but it is for my staff when they have to upload large numbers of photos. Thanks, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org