Disabling exploitable proftpds

A stack overflow bug has been identified in ProFTPd.  This bug allows users to gain remote access (usually root) to an attacker.  This bug requires immediate attention and potentially a restore to the last backup image of your server.

Information on the bug can be found here:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4221
We have been handling the issue per https://rimuhosting.com/admin/maintenance.jsp?server_maint_oid=203118951

We use nmap -sV -p 21 ipaddress to identify is the server reports it is running proftpd.

We needed to disable it on some servers while the exploit is unresolved by various vendors/distro makers.

Trying to get a script that works across a variety of different server setups proved 'interesting'.  Here are some details on that for non-RimuHosting ProFTP users that may want to disable that service...

{

set -x;

# if you are unlucky you may see some 'suspicious' looking processes spawned by proftpd at this point.  Indicating you may have been exploited.

ps auxf  | grep --after-context 4 "pro[f]tp"  | grep -v grep

cd /etc/init.d/

chkconfig --del proftp*;

update-rc.d -f proftp* remove ;

service proftp* stop;

/etc/init.d/proftpd stop;

[ -e /etc/xinetd.d/ftp_psa ] && mv /etc/xinetd.d/ftp_psa /root/ && echo disabling psa_ftp && /etc/init.d/xinetd restart

grep ftp /etc/inetd.conf  && sed --in-place 's/^ftp/\#exploitable ftp/' /etc/inetd.conf && grep ftp /etc/inetd.conf &&  { /etc/init.d/inetd restart ; /etc/init.d/openbsd-inetd restart ; /etc/init.d/xinetd restart; /etc/init.d/inetutils-inetd restart;  }

set +x

} 2>&1 | tee -a proftpdremoveresults

This will try to disable ProFTPd from starting up in various ways (/etc/init.d; service; inetd).  And will create a log of what happened.

About Peter Bryant

Peter founded RimuHosting in 2003
This entry was posted in Security and tagged , , , , , , . Bookmark the permalink.

Comments are closed.