hack problem with FTP

Discussion in 'General' started by mumbly, Dec 20, 2009.

  1. mumbly

    mumbly Member

    My three servers have been hacked these days.
    One (big) line of code habe been added at the end of some files (index, etc.) by some one or something ... This is the code :

    It seems (???) that this is a ftp problem.
    As long as mi 3 servers have been configured with Ubuntu 8.04 LTS, fully updated, with ISPConfig 2 (last version 2.2.35), i do admit that i am a bit confused with that...

    Here is some more news about this :
    - http://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html

    THE BIG QUESTION : HOW-TO secure more ftp ? Must i change the paswords for now ?

    At last, i must say that all of my servers are configured according to "Ubuntu Perfect Server" from howtoforge.org.
  2. falko

    falko Super Moderator ISPConfig Developer

  3. mumbly

    mumbly Member

  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    I don't know the exact switch on how to check which proftp modules are loaded. never the less you can check this, as there is a specific module that needs to be loaded for tls. I tried this on my debian machine some time ago, but did not get it working as there was no possibility to have this module loaded, as it seems that it does anyhow not exist in the debian version of proftpd.

    But independant of that, if the server was really hacked I would consider rebuilding the whole servers as you can never be sure whether a rootkit or similar was installed on your machine, so changing passwords would be no real help.
    Did you also check your machine with e.g. rkhunter?
  5. falko

    falko Super Moderator ISPConfig Developer

    Have you tried both active and passive transfers in your FTP client?
  6. Mark_NL

    Mark_NL Member

    I've seen this before, for me, it was a customer who used an illegal version of CuteFTP (used a file called patch.exe) which actually contained a keylogger, logged the login credentials, and could login straight away without any errors, added the code in ALL index.* files and logged off.

    install rkhunter and clamav and scan your disc for more infections .. because your websites will be reported as "deformed/malware" through firefox/google very fast.

Share This Page