Need advice

LawsHosting · Nov 9, 2010

I know this isn't DA related.

Saw a server constantly at 5.0 load, which was the result of ProFTP hogging 95% of cpu. So I killed the processes, then looked at the auth.log and saw tons of these every second:

Nov 9 11:31:28 server3 kernel: grsec: From 188.165.212.60: Illegal instruction occurred at 0804d23c in /usr/sbin/proftpd[proftpd:12262] uid/euid:0/107 gid/egid:110/110, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Nov 9 11:31:28 server3 kernel: grsec: From 129.217.228.120: Illegal instruction occurred at 0804d23c in /usr/sbin/proftpd[proftpd:2706] uid/euid:0/107 gid/egid:110/110, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
N

Blocked the IPs and started ProFTP, all okay at the moment, load is back down and cpu temps are back to normal.

So, was this a hack attempt or something else? This is the first time this has happed. Some insight would be appreciated.

nobaloney · Nov 9, 2010

Illegal instruction is probably a hack attempt against a known vulnerability in one of the many ftp daemons out there.

Hiding the IP# of a possible hacker isn't necessarily a good idea; if you'd left it then anyone googling to see if the IP# was attempting to compromise his server could have found this thread.

Jeff

LawsHosting · Nov 9, 2010

I re-added them.

Thanks for the clarification. I've also sent abuse reports to the upstreams too.

tomtom901 · Nov 9, 2010

Peter,

My first guess, just as Jeffs would be that it was a bruteforce attempt which was exploiting an exploit in the proftpd software. You blocked the IP's, can you see on your firewall logs (if there are) that the traffic is being dropped now?

Need advice

LawsHosting

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

LawsHosting

Verified User

tomtom901

Verified User