Opened 10 years ago

Closed 5 years ago

#4600 closed Bug report (outdated)

Attack during identification process ?

Reported by: alf Owned by:
Priority: high Component: FileZilla Server
Keywords: authentification, security, 100% cpu Cc:
Component version: Operating system type: Windows
Operating system version: XP SP3

Description

Hi,

I have installed FZS 0.9.31 on a windows XP SP3 box a month ago for a private use: there is a small number of well known clients. And during this month, FZS has going crazy several times. CPU skyrockets to 100% with someone connected but no user identified in the list of users in the admin console.

It always follows the same scheme: someone tries to authentify 2 or 3 times with the same username (USER command), without giving any password (no PASS command) and FZS go crazy. Kicking or banning user make FZS go back to normal.

(000001) 08/06/2009 10:25:14 - (not logged in) (82.114.242.60)> USER Administrator
(000001) 08/06/2009 10:25:14 - (not logged in) (82.114.242.60)> 331 Password required for administrator
(000001) 08/06/2009 10:25:15 - (not logged in) (82.114.242.60)> USER Administrator
(000001) 08/06/2009 10:25:15 - (not logged in) (82.114.242.60)> 331 Password required for administrator
(000001) 08/06/2009 19:01:35 - (not logged in) (82.114.242.60)> 421 Kicked by Administrator
(000001) 08/06/2009 19:01:35 - (not logged in) (82.114.242.60)> disconnected.

(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> USER Administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> 331 Password required for administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> USER Administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> 331 Password required for administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> USER Administrator
(000005) 12/06/2009 02:13:44 - (not logged in) (64.69.35.115)> 331 Password required for administrator
(000005) 12/06/2009 07:53:51 - (not logged in) (64.69.35.115)> 421 Kicked by Administrator
(000005) 12/06/2009 07:53:51 - (not logged in) (64.69.35.115)> could not send reply, disconnected.
(000005) 12/06/2009 07:53:51 - (not logged in) (64.69.35.115)> disconnected.

I have played with almost all the options of FZS without any succes. And I can't sum up my tries here but they have had no effects. Then, I have tried the following workarounds:

  • create a simple "Administrator" disabled account - not working
  • create a simple "Administrator" enabled account with password - not working
  • create a simple "Administrator" enabled account with password and SSL required - working

000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> USER Administrator
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> 530 SSL required
(000015) 19/06/2009 05:26:39 - (not logged in) (213.194.149.3)> disconnected.

But after this, the "attacker" change the user from "Administrator" to "oracle" and here we go again ...

(000016) 21/06/2009 15:09:32 - (not logged in) (203.59.222.90)> USER oracle
(000016) 21/06/2009 15:09:32 - (not logged in) (203.59.222.90)> 331 Password required for oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> USER oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> 331 Password required for oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> USER oracle
(000016) 21/06/2009 15:09:33 - (not logged in) (203.59.222.90)> 331 Password required for oracle
(000016) 22/06/2009 09:36:09 - (not logged in) (203.59.222.90)> 421 Kicked by Administrator
(000016) 22/06/2009 09:36:09 - (not logged in) (203.59.222.90)> disconnected.

I can't create an account for each potential name that hacker-maniacs out there will try. So if someone has a solution.

I don't know if is is a security bug and if it concerns others versions of FZS.

regards

Change History (9)

comment:1 Changed 10 years ago by alf

FZS 0.9.32 is also affected on my XP Pro SP3 box ...

(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> USER abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> 331 Password required for abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> USER abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> 331 Password required for abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> USER abby
(000074) 06/07/2009 19:52:05 - (not logged in) (85.234.144.7)> 331 Password required for abby
(000074) 06/07/2009 21:35:46 - (not logged in) (85.234.144.7)> 421 Kicked by Administrator
(000074) 06/07/2009 21:35:46 - (not logged in) (85.234.144.7)> could not send reply, disconnected.
(000074) 06/07/2009 21:35:46 - (not logged in) (85.234.144.7)> disconnected.

comment:2 Changed 10 years ago by alf

Priority: normalhigh

Again FZS 0.9.32 on XP Pro SP3 box ...
This time the attacker has gone through the SSL workaround and has logged multiple times from different IPs (which I banned again and again and again) ...

(000076) 09/07/2009 13:44:22 - (not logged in) (200.6.13.4)> Connected, sending welcome message...
..ZAP WELCOME MESSAGE ...
(000076) 09/07/2009 13:44:22 - (not logged in) (200.6.13.4)> USER administrator
(000076) 09/07/2009 13:44:22 - (not logged in) (200.6.13.4)> 530 SSL required
(000076) 09/07/2009 13:44:23 - (not logged in) (200.6.13.4)> USER administrator
(000076) 09/07/2009 13:44:23 - (not logged in) (200.6.13.4)> 530 SSL required
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> Connected, sending welcome message...
..ZAP WELCOME MESSAGE ...
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> USER administrator
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> 530 SSL required
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> USER administrator
(000077) 09/07/2009 15:24:31 - (not logged in) (200.6.13.4)> 530 SSL required
..ZAP WELCOME MESSAGE ...
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> USER administrator
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> 530 SSL required
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> USER administrator
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> 530 SSL required
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> USER administrator
(000078) 09/07/2009 18:57:07 - (not logged in) (69.197.161.80)> 530 SSL required
(000076) 09/07/2009 21:58:50 - (not logged in) (200.6.13.4)> 421 Kicked by Administrator
(000076) 09/07/2009 21:58:50 - (not logged in) (200.6.13.4)> disconnected.
(000077) 09/07/2009 21:58:50 - (not logged in) (200.6.13.4)> disconnected.
(000078) 09/07/2009 21:58:50 - (not logged in) (69.197.161.80)> disconnected.

Is there at least someone reading this ?
Is this usefull ?
No feedback from the dev team is very annoying. This is at first sight a serious security issue which no one of the dev team seem eager to correct.
My only good solution is to change of ftp server. Bye.

comment:3 Changed 10 years ago by Tim Kosse

Status: newmoreinfo

I am unable to reproduce the problem.

Are you using any firewalls or other so-called security solutions? What happens if you uninstall them?

comment:4 Changed 10 years ago by alf

I am adminsys. I know there is no problem with my firewals (one on my linksys box dd-wrt and one my xp box which is comodo) or any other softwares. But I have tried to turn the xp one "on"/"off" to be absolutely sure. The problem is: I can't control the hacker and I can't reproduce the problem as I wish so it takes time.

Until now, the only symptom is a 100% CPU even if there is no one a the end of the connection and the connection is closed.

I just started monitoring the connection with the last wireshark ... but I hate to use my personal "production" computer as a honeypot.

Why the hell did I go windows for a server host. I should have stayed on a plain linux.
:-(

comment:5 Changed 10 years ago by alf

Is there a debug mode in FZS ?

comment:6 Changed 10 years ago by Tim Kosse

I've bombarded the server all night long with login attempts, it's still working along nicely, no problems at all.

But I have tried to turn the xp one "on"/"off" to be absolutely sure.

Note that even if you switch them to off, their drivers are still loaded and running. Only complete uninstallation unloads the drivers.

Is there a debug mode in FZS ?

Yes, compile it yourself and run it inside a debugger.

comment:7 Changed 10 years ago by alf

Status: moreinfonew

I don't think it is a DOS : there is only 2 or 3 tries before the server go crazy and there are no log of half opened tcp connections or anything like that in the dd-wrt linksys box.
And even when the attack fail, there is no more than 5 tries.

In fact, I have very few connection attempts (1 to 3 con a day for the valid ones, and 1 every other day for my special guest which play with my FZS).
IMO it is more some strangely crafted login attempts which make FZS go crazy.
I will collect more data and come back if I can.

For the debugger, it is my prod host not my dev host so i will not do this and I can't make a new fresh win xp pro test bed for fzs cause I don't have the time.
:-/

I hope wireshark will give some clues ...

comment:8 Changed 5 years ago by Tim Kosse

Status: newmoreinfo

Do you still experience this issue in the latest version of FileZilla Server?

comment:9 Changed 5 years ago by Alexander Schuch

Resolution: outdated
Status: moreinfoclosed

No reply for more than 28 days.

Note: See TracTickets for help on using tickets.