[CentOS] security breach - ftp?

Sun May 19 15:59:17 UTC 2013
Philipp Duffner <philipp at phphaus.com>

Hi,

I'm running Plesk 11.0.9 on a Centos 5.5.
A website on that box got hacked last week and malicious code got inserted
into some html/php files. So I went to find out what happened...

I found no back doors by using rkhunter or manually searching for
suspicious files in /tmp, etc. No activity at all in the php logs at the
time of the attack. I also analysed of course the system logs (messages,
secure, ...) - nothing that I could see either - except for an entry of an
successful login to that domain via FTP just before the the modified dates
of the infected files.
I found one of the oldest infected files were in the folder of a hopelessly
outdated version of a WYSIWYG editor and decided to blame that due to
probability.

So in order to recover I did in this order...
* delete httpdocs from the website
* change the FTP password
* upgrade and update Plesk from 10.0.4 to 11.0.9
* upgrade php to php53 via plesk - this also updates mysql and phpmyadmin
* yum update everything, also made sure I have the latest version of proftp
* restore the entire website from a clean backup
* delete the WYSIWYG folder that I believed had caused the vulnerability

The next days I slept ok hoping I removed the attacker's entry point(s).

...so I thought! Today the website got hacked again - the same exploit on
the pages, meaning same attacker.
And again I can see nothing suspicious except for the successful FTP logon
just before the modification time of the infected html/php:

2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack
module called from service "proftpd"
2013-05-18T15:01:25.204731-07:00 MyServer proftpd: Deprecated pam_stack
module called from service "proftpd"
2013-05-18T15:01:25.204831-07:00 MyServer proftpd: Deprecated pam_stack
module called from service "proftpd"
2013-05-18T15:01:25.205183-07:00 MyServer proftpd:
pam_unix(proftpd:session): session opened for user WEBSITEUSER by (uid=0)
2013-05-18T15:01:25.205244-07:00 MyServer proftpd: Deprecated pam_stack
module called from service "proftpd"
2013-05-18T15:01:25.231034-07:00 MyServer proftpd[20243]: 127.0.0.1
(188.190.126.105[188.190.126.105]) - USER WEBSITEUSER: Login successful.
2013-05-18T15:04:08.095351-07:00 MyServer proftpd: Deprecated pam_stack
module called from service "proftpd"
2013-05-18T15:04:08.095379-07:00 MyServer proftpd:
pam_env(proftpd:setcred): Unable to open config file:
/etc/security/pam_env.conf: No such file or directory
2013-05-18T15:04:08.095445-07:00 MyServer proftpd: Deprecated pam_stack
module called from service "proftpd"
2013-05-18T15:04:08.095455-07:00 MyServer proftpd:
pam_succeed_if(proftpd:session): error retrieving information about user 0
2013-05-18T15:04:08.095463-07:00 MyServer proftpd:
pam_unix(proftpd:session): session closed for user WEBSITEUSER

I know for a fact it couldn't have been the website owner because I didn't
give him the new FTP password yet.

# yum list | grep proftp
psa-proftpd.i386                         1.3.4a-cos5.build110121114.13
installed
proftpd.i386                             1.3.3g-2.el5                  epel
proftpd-ldap.i386                        1.3.3g-2.el5                  epel
proftpd-mysql.i386                       1.3.3g-2.el5                  epel
proftpd-postgresql.i386                  1.3.3g-2.el5                  epel

I think I really hit a snag with this one - I have no idea where to go
forward from here.
I'd appreciate any ideas.

Thanks.

Philipp