Opened 15 years ago
Closed 9 years ago
#4600 closed Bug report (outdated)
Attack during identification process ?
| Reported by: | alf | Owned by: | |
|---|---|---|---|
| Priority: | high | Component: | FileZilla Server |
| Keywords: | authentification, security, 100% cpu | Cc: | |
| Component version: | Operating system type: | Windows | |
| Operating system version: | XP SP3 |
Description
Hi,
I have installed FZS 0.9.31 on a windows XP SP3 box a month ago for a private use: there is a small number of well known clients. And during this month, FZS has going crazy several times. CPU skyrockets to 100% with someone connected but no user identified in the list of users in the admin console.
It always follows the same scheme: someone tries to authentify 2 or 3 times with the same username (USER command), without giving any password (no PASS command) and FZS go crazy. Kicking or banning user make FZS go back to normal.
(000001) 08/06/2009 10:25:14 - (not logged in) (82.114.242.60)> USER Administrator
(000001) 08/06/2009 10:25:14 - (not logged in) (82.114.242.60)> 331 Password required for administrator
(000001) 08/06/2009 10:25:15 - (not logged in) (82.114.242.60)> USER Administrator
(000001) 08/06/2009 10:25:15 - (not logged in) (82.114.242.60)> 331 Password required for administrator
(000001) 08/06/2009 19:01:35 - (not logged in) (82.114.242.60)> 421 Kicked by Administrator
(000001) 08/06/2009 19:01:35 - (not logged in) (82.114.242.60)> disconnected.
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> USER Administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> 331 Password required for administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> USER Administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> 331 Password required for administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> USER Administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> 331 Password required for administrator
(000005) 12/06/2009 07:53:51 - (not logged in) (64.69.35.115)> 421 Kicked by Administrator
(000005) 12/06/2009 07:53:51 - (not logged in) (64.69.35.115)> could not send reply, disconnected.
(000005) 12/06/2009 07:53:51 - (not logged in) (64.69.35.115)> disconnected.
I have played with almost all the options of FZS without any succes. And I can't sum up my tries here but they have had no effects. Then, I have tried the following workarounds:
- create a simple "Administrator" disabled account - not working
- create a simple "Administrator" enabled account with password - not working
- create a simple "Administrator" enabled account with password and SSL required - working
000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> disconnected.
But after this, the "attacker" change the user from "Administrator" to "oracle" and here we go again ...
(000016) 21/06/2009 15:09:32 - (not logged in) (203.59.222.90)> USER oracle
(000016) 21/06/2009 15:09:32 - (not logged in) (203.59.222.90)> 331 Password required for oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> USER oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> 331 Password required for oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> USER oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> 331 Password required for oracle
(000016) 22/06/2009 09:36:09 - (not logged in) (203.59.222.90)> 421 Kicked by Administrator
(000016) 22/06/2009 09:36:09 - (not logged in) (203.59.222.90)> disconnected.
I can't create an account for each potential name that hacker-maniacs out there will try. So if someone has a solution.
I don't know if is is a security bug and if it concerns others versions of FZS.
regards
Change History (9)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
| Priority: | normal → high |
|---|
Again FZS 0.9.32 on XP Pro SP3 box ...
This time the attacker has gone through the SSL workaround and has logged multiple times from different IPs (which I banned again and again and again) ...
(000076) 09/07/2009 13:44:22 - (not logged in) (200.6.13.4)> Connected, sending welcome message...
..ZAP WELCOME MESSAGE ...
(000076) 09/07/2009 13:44:22 - (not logged in) (200.6.13.4)> USER administrator
(000076) 09/07/2009 13:44:22 - (not logged in) (200.6.13.4)> 530 SSL required
(000076) 09/07/2009 13:44:23 - (not logged in) (200.6.13.4)> USER administrator
(000076) 09/07/2009 13:44:23 - (not logged in) (200.6.13.4)> 530 SSL required
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> Connected, sending welcome message...
..ZAP WELCOME MESSAGE ...
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> USER administrator
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> 530 SSL required
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> USER administrator
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> 530 SSL required
..ZAP WELCOME MESSAGE ...
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> USER administrator
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> 530 SSL required
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> USER administrator
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> 530 SSL required
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> USER administrator
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> 530 SSL required
(000076) 09/07/2009 21:58:50 - (not logged in) (200.6.13.4)> 421 Kicked by Administrator
(000076) 09/07/2009 21:58:50 - (not logged in) (200.6.13.4)> disconnected.
(000077) 09/07/2009 21:58:50 - (not logged in) (200.6.13.4)> disconnected.
(000078) 09/07/2009 21:58:50 - (not logged in) (69.197.161.80)> disconnected.
Is there at least someone reading this ?
Is this usefull ?
No feedback from the dev team is very annoying. This is at first sight a serious security issue which no one of the dev team seem eager to correct.
My only good solution is to change of ftp server. Bye.
comment:3 by , 15 years ago
| Status: | new → moreinfo |
|---|
I am unable to reproduce the problem.
Are you using any firewalls or other so-called security solutions? What happens if you uninstall them?
comment:4 by , 15 years ago
I am adminsys. I know there is no problem with my firewals (one on my linksys box dd-wrt and one my xp box which is comodo) or any other softwares. But I have tried to turn the xp one "on"/"off" to be absolutely sure. The problem is: I can't control the hacker and I can't reproduce the problem as I wish so it takes time.
Until now, the only symptom is a 100% CPU even if there is no one a the end of the connection and the connection is closed.
I just started monitoring the connection with the last wireshark ... but I hate to use my personal "production" computer as a honeypot.
Why the hell did I go windows for a server host. I should have stayed on a plain linux.
:-(
comment:6 by , 15 years ago
I've bombarded the server all night long with login attempts, it's still working along nicely, no problems at all.
But I have tried to turn the xp one "on"/"off" to be absolutely sure.
Note that even if you switch them to off, their drivers are still loaded and running. Only complete uninstallation unloads the drivers.
Is there a debug mode in FZS ?
Yes, compile it yourself and run it inside a debugger.
comment:7 by , 15 years ago
| Status: | moreinfo → new |
|---|
I don't think it is a DOS : there is only 2 or 3 tries before the server go crazy and there are no log of half opened tcp connections or anything like that in the dd-wrt linksys box.
And even when the attack fail, there is no more than 5 tries.
In fact, I have very few connection attempts (1 to 3 con a day for the valid ones, and 1 every other day for my special guest which play with my FZS).
IMO it is more some strangely crafted login attempts which make FZS go crazy.
I will collect more data and come back if I can.
For the debugger, it is my prod host not my dev host so i will not do this and I can't make a new fresh win xp pro test bed for fzs cause I don't have the time.
:-/
I hope wireshark will give some clues ...
comment:8 by , 10 years ago
| Status: | new → moreinfo |
|---|
Do you still experience this issue in the latest version of FileZilla Server?
comment:9 by , 9 years ago
| Resolution: | → outdated |
|---|---|
| Status: | moreinfo → closed |
No reply for more than 28 days.
FZS 0.9.32 is also affected on my XP Pro SP3 box ...
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> USER abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> 331 Password required for abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> USER abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> 331 Password required for abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> USER abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> 331 Password required for abby
(000074) 06/07/2009 21:35:46 - (not logged in) (85.234.144.7)> 421 Kicked by Administrator
(000074) 06/07/2009 21:35:46 - (not logged in) (85.234.144.7)> could not send reply, disconnected.
(000074) 06/07/2009 21:35:46 - (not logged in) (85.234.144.7)> disconnected.