Hi,
I'm running Plesk 11.0.9 on a Centos 5.5. A website on that box got hacked last week and malicious code got inserted into some html/php files. So I went to find out what happened...
I found no back doors by using rkhunter or manually searching for suspicious files in /tmp, etc. No activity at all in the php logs at the time of the attack. I also analysed of course the system logs (messages, secure, ...) - nothing that I could see either - except for an entry of an successful login to that domain via FTP just before the the modified dates of the infected files. I found one of the oldest infected files were in the folder of a hopelessly outdated version of a WYSIWYG editor and decided to blame that due to probability.
So in order to recover I did in this order... * delete httpdocs from the website * change the FTP password * upgrade and update Plesk from 10.0.4 to 11.0.9 * upgrade php to php53 via plesk - this also updates mysql and phpmyadmin * yum update everything, also made sure I have the latest version of proftp * restore the entire website from a clean backup * delete the WYSIWYG folder that I believed had caused the vulnerability
The next days I slept ok hoping I removed the attacker's entry point(s).
...so I thought! Today the website got hacked again - the same exploit on the pages, meaning same attacker. And again I can see nothing suspicious except for the successful FTP logon just before the modification time of the infected html/php:
2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd" 2013-05-18T15:01:25.204731-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd" 2013-05-18T15:01:25.204831-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd" 2013-05-18T15:01:25.205183-07:00 MyServer proftpd: pam_unix(proftpd:session): session opened for user WEBSITEUSER by (uid=0) 2013-05-18T15:01:25.205244-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd" 2013-05-18T15:01:25.231034-07:00 MyServer proftpd[20243]: 127.0.0.1 (188.190.126.105[188.190.126.105]) - USER WEBSITEUSER: Login successful. 2013-05-18T15:04:08.095351-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd" 2013-05-18T15:04:08.095379-07:00 MyServer proftpd: pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory 2013-05-18T15:04:08.095445-07:00 MyServer proftpd: Deprecated pam_stack module called from service "proftpd" 2013-05-18T15:04:08.095455-07:00 MyServer proftpd: pam_succeed_if(proftpd:session): error retrieving information about user 0 2013-05-18T15:04:08.095463-07:00 MyServer proftpd: pam_unix(proftpd:session): session closed for user WEBSITEUSER
I know for a fact it couldn't have been the website owner because I didn't give him the new FTP password yet.
# yum list | grep proftp psa-proftpd.i386 1.3.4a-cos5.build110121114.13 installed proftpd.i386 1.3.3g-2.el5 epel proftpd-ldap.i386 1.3.3g-2.el5 epel proftpd-mysql.i386 1.3.3g-2.el5 epel proftpd-postgresql.i386 1.3.3g-2.el5 epel
I think I really hit a snag with this one - I have no idea where to go forward from here. I'd appreciate any ideas.
Thanks.
Philipp