Although you have not said I hope you changed the ftp account password and didn't save it on your ftp client program in cleartext (or anywhere else)
First time hack logins usually know the right credentials
Regards, Andy Goy IT Consultant -----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of mark Sent: 20 May 2013 13:02 To: CentOS mailing list Subject: Re: [CentOS] security breach - ftp?
On 05/19/13 11:59, Philipp Duffner wrote:
Hi,
I'm running Plesk 11.0.9 on a Centos 5.5. A website on that box got hacked last week and malicious code got inserted into some html/php files. So I went to find out what happened...
<snip>
- yum update everything, also made sure I have the latest version of
proftp
- restore the entire website from a clean backup
- delete the WYSIWYG folder that I believed had caused the
vulnerability
The next days I slept ok hoping I removed the attacker's entry point(s).
...so I thought! Today the website got hacked again - the same exploit on the pages, meaning same attacker. And again I can see nothing suspicious except for the successful FTP logon just before the modification time of the infected html/php:
2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd"
<snip> The bunch of these messages, above, make me wonder if the reason that the pam stack module is deprecated is vulnerability. Consider checking the proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see if you can change what it's calling.
mark
-- "The group mentality of the United States is fundamentally that of a teenager." -British Immigrant _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- This message has been scanned for viruses and dangerous content by MailScanner2, and is believed to be clean. ISP: First 4 IT Ltd (Registered in the UK: 4716196)
--------------------------------------- This message has been scanned for viruses and dangerous content by the SecPoint(R) Protector Security Appliance. --------------------------------------- For more information on security products or any other IT solution, please call First 4 IT Ltd on 01423 859370 or email info@first4it.co.uk ---------------------------------------
--------------------------------------- This message has been scanned for viruses and dangerous content by the SecPoint(R) Protector Security Appliance. --------------------------------------- For more information on security products or any other IT solution, please call First 4 IT Ltd on 01423 859370 or email info@first4it.co.uk ---------------------------------------