On 05/19/13 11:59, Philipp Duffner wrote:
Hi,
I'm running Plesk 11.0.9 on a Centos 5.5. A website on that box got hacked last week and malicious code got inserted into some html/php files. So I went to find out what happened...
<snip>
- yum update everything, also made sure I have the latest version of proftp
- restore the entire website from a clean backup
- delete the WYSIWYG folder that I believed had caused the vulnerability
The next days I slept ok hoping I removed the attacker's entry point(s).
...so I thought! Today the website got hacked again - the same exploit on the pages, meaning same attacker. And again I can see nothing suspicious except for the successful FTP logon just before the modification time of the infected html/php:
2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd"
<snip> The bunch of these messages, above, make me wonder if the reason that the pam stack module is deprecated is vulnerability. Consider checking the proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see if you can change what it's calling.
mark