[CentOS] security breach - ftp?

Mon May 20 12:02:07 UTC 2013
mark <m.roth at 5-cent.us>

On 05/19/13 11:59, Philipp Duffner wrote:
> Hi,
>
> I'm running Plesk 11.0.9 on a Centos 5.5.
> A website on that box got hacked last week and malicious code got inserted
> into some html/php files. So I went to find out what happened...
>
<snip>
> * yum update everything, also made sure I have the latest version of proftp
> * restore the entire website from a clean backup
> * delete the WYSIWYG folder that I believed had caused the vulnerability
>
> The next days I slept ok hoping I removed the attacker's entry point(s).
>
> ...so I thought! Today the website got hacked again - the same exploit on
> the pages, meaning same attacker.
> And again I can see nothing suspicious except for the successful FTP logon
> just before the modification time of the infected html/php:
>
> 2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack
> module called from service "proftpd"
<snip>
The bunch of these messages, above, make me wonder if the reason that the 
pam stack module is deprecated is vulnerability. Consider checking the 
proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see 
if you can change what it's calling.

	mark


-- 
"The group mentality of the United States is fundamentally that of a
    teenager." -British Immigrant