Page 1 of 1

Latest proftpd causing extremely high load

Posted: Wed Mar 09, 2011 8:19 am
by priestjim
Hey all!

I've been experiencing a very strange issue after the whole proftpd remote root exploit fuss: every user connected via FTP consumes a humongous amount of CPU time and memory (to the point where an 8 GB RAM server started swapping because of the proftpd processes) no matter what the user performs (IDLE, LIST etc).

The server is a hackenstein of RHEL 4 and CentOS 4.8, with all package conflicts resolved and has been running smoothly for over 1.5 year now. The issue has appeared with both Atomic proftpd 1.3.3c and 1.3.3d and strace is to my eyes inconclusive.

Any help would be greatly appreciated, as I don't like reverting to the vulnerable 1.3.2e (which is the latest version where proftpd runs with no issues whatsoever) for the server to operate correctly.

Thanks!

Re: Latest proftpd causing extremely high load

Posted: Wed Mar 09, 2011 10:57 pm
by scott
rough guess, downstream symptom of a rootkit?

Re: Latest proftpd causing extremely high load

Posted: Thu Mar 10, 2011 4:40 am
by priestjim
On about 15 servers (4 dedicated and 11 VPSes, 4 of which were opened yesterday?)? The issue occurs on Centos 5.5 x64 as well but never on Parallels' 1.3.2e proftpd!

Re: Latest proftpd causing extremely high load

Posted: Thu Mar 10, 2011 11:01 am
by scott
Very strange, has anyone else experienced this? These were the changes from 1.3.3c to 1.3.3d:

+ Fixed sql_prepare_where() buffer overflow (Bug#3536)
+ Fixed CPU spike when handling .ftpaccess files.
+ Fixed handling of SFTP uploads when compression is used.

Do you use .ftpaccess files at all?

Re: Latest proftpd causing extremely high load

Posted: Fri Mar 11, 2011 6:19 am
by priestjim
What about the changelog between 1.3.2e and 1.3.3c? No .ftpaccess files are being used...

Re: Latest proftpd causing extremely high load

Posted: Fri Mar 11, 2011 9:18 am
by scott
Its big. Check them all out here: http://www.proftpd.org