Latest proftpd causing extremely high load

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
priestjim
Forum User
Forum User
Posts: 6
Joined: Tue Dec 22, 2009 5:53 am
Location: Athens, Greece

Latest proftpd causing extremely high load

Unread post by priestjim »

Hey all!

I've been experiencing a very strange issue after the whole proftpd remote root exploit fuss: every user connected via FTP consumes a humongous amount of CPU time and memory (to the point where an 8 GB RAM server started swapping because of the proftpd processes) no matter what the user performs (IDLE, LIST etc).

The server is a hackenstein of RHEL 4 and CentOS 4.8, with all package conflicts resolved and has been running smoothly for over 1.5 year now. The issue has appeared with both Atomic proftpd 1.3.3c and 1.3.3d and strace is to my eyes inconclusive.

Any help would be greatly appreciated, as I don't like reverting to the vulnerable 1.3.2e (which is the latest version where proftpd runs with no issues whatsoever) for the server to operate correctly.

Thanks!
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Latest proftpd causing extremely high load

Unread post by scott »

rough guess, downstream symptom of a rootkit?
priestjim
Forum User
Forum User
Posts: 6
Joined: Tue Dec 22, 2009 5:53 am
Location: Athens, Greece

Re: Latest proftpd causing extremely high load

Unread post by priestjim »

On about 15 servers (4 dedicated and 11 VPSes, 4 of which were opened yesterday?)? The issue occurs on Centos 5.5 x64 as well but never on Parallels' 1.3.2e proftpd!
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Latest proftpd causing extremely high load

Unread post by scott »

Very strange, has anyone else experienced this? These were the changes from 1.3.3c to 1.3.3d:

+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
+ Fixed CPU spike when handling .ftpaccess files.
+ Fixed handling of SFTP uploads when compression is used.

Do you use .ftpaccess files at all?
priestjim
Forum User
Forum User
Posts: 6
Joined: Tue Dec 22, 2009 5:53 am
Location: Athens, Greece

Re: Latest proftpd causing extremely high load

Unread post by priestjim »

What about the changelog between 1.3.2e and 1.3.3c? No .ftpaccess files are being used...
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Latest proftpd causing extremely high load

Unread post by scott »

Its big. Check them all out here: http://www.proftpd.org
Post Reply