[CentOS] security breach - ftp?

Mon May 20 12:56:11 UTC 2013
Andy Goy <AndyG at first4it.co.uk>

Although you have not said
I hope you changed the ftp account password and didn't save it on your  ftp client  program  in cleartext  (or anywhere else)

First time hack logins usually know the right credentials 

Regards,
Andy Goy
IT Consultant
-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of mark
Sent: 20 May 2013 13:02
To: CentOS mailing list
Subject: Re: [CentOS] security breach - ftp?

On 05/19/13 11:59, Philipp Duffner wrote:
> Hi,
>
> I'm running Plesk 11.0.9 on a Centos 5.5.
> A website on that box got hacked last week and malicious code got 
> inserted into some html/php files. So I went to find out what happened...
>
<snip>
> * yum update everything, also made sure I have the latest version of 
> proftp
> * restore the entire website from a clean backup
> * delete the WYSIWYG folder that I believed had caused the 
> vulnerability
>
> The next days I slept ok hoping I removed the attacker's entry point(s).
>
> ...so I thought! Today the website got hacked again - the same exploit 
> on the pages, meaning same attacker.
> And again I can see nothing suspicious except for the successful FTP 
> logon just before the modification time of the infected html/php:
>
> 2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated 
> pam_stack module called from service "proftpd"
<snip>
The bunch of these messages, above, make me wonder if the reason that the pam stack module is deprecated is vulnerability. Consider checking the proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see if you can change what it's calling.

	mark


--
"The group mentality of the United States is fundamentally that of a
    teenager." -British Immigrant
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

--
This message has been scanned for viruses and dangerous content by MailScanner2, and is believed to be clean.
ISP: First 4 IT Ltd (Registered in the UK: 4716196)


--------------------------------------- This message has been scanned for viruses and dangerous content by the SecPoint(R) Protector Security Appliance. --------------------------------------- For more information on security products or any other IT solution, please call First 4 IT Ltd on 01423 859370 or email info at first4it.co.uk ---------------------------------------     


---------------------------------------
This message has been scanned for viruses and dangerous content by the SecPoint(R) Protector Security Appliance.
---------------------------------------
For more information on security products or any other IT solution, please call First 4 IT Ltd on 01423 859370 or email info at first4it.co.uk
---------------------------------------