[CentOS] security breach - ftp?

Mon May 20 12:02:07 UTC 2013
mark <m.roth at 5-cent.us>

On 05/19/13 11:59, Philipp Duffner wrote:
> Hi,
> I'm running Plesk 11.0.9 on a Centos 5.5.
> A website on that box got hacked last week and malicious code got inserted
> into some html/php files. So I went to find out what happened...
> * yum update everything, also made sure I have the latest version of proftp
> * restore the entire website from a clean backup
> * delete the WYSIWYG folder that I believed had caused the vulnerability
> The next days I slept ok hoping I removed the attacker's entry point(s).
> ...so I thought! Today the website got hacked again - the same exploit on
> the pages, meaning same attacker.
> And again I can see nothing suspicious except for the successful FTP logon
> just before the modification time of the infected html/php:
> 2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack
> module called from service "proftpd"
The bunch of these messages, above, make me wonder if the reason that the 
pam stack module is deprecated is vulnerability. Consider checking the 
proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see 
if you can change what it's calling.


"The group mentality of the United States is fundamentally that of a
    teenager." -British Immigrant