pureftp problem? and what is DEFAULT website served to the ip address?

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Jan 22, 2018.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I posted a bit ago about a hack into my server as it turns out they guessed a ftp account password - I just deleted the account in ispconfig.

    but they uploaded a malicious obfuscated file to the root directory of the web account - and then were able to execute it.
    I thought pureftpd would have its default upload directory to be non-executable? seems to be a problem to upload into the root of the website and then whatever.com/mymalicious.php runs whatever!
    I have the file attached (mdbx.zip) in case anyone can de-obfuscate it I'm curious as to WHAT IT WAS DOING!! and what else I need to be concerned about :)

    A second question - how can I set a default site served to the ip address? I dont see any of the vhosts with a _default_ directive.
    how can I find out what vhost is served to the ip address - what does 74.xxx.yyy.zzz resolve to? and how to point it to a place that I want it to serve?
    thanks all!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You mix up a few things here, let me explain. .php files are files interpreted by the PHP interpreter of the apache or nginx web server, this has nothing to do with executable applications or the executable bit on Linux and is not related to the way pure-ftpd uploads files. A PHP file that is uploaded (by FTP or by a vulnerability in the cms of the website) into a website that has PHP enabled (e.g. because you run a CMS system like Wordpress, Joomla etc.), then this file can be executed by calling it's URL in the browser. So there is no configuration issue here, it's the purpose of a PHP enabled website to run PHP scripts and PHP can not know if you uploaded a PHP script through your FTP account or if someone else uploaded it through your FTP account. Use a secure password to prevent that someone else uploads files to your website and keep the cms system updated that you use in that site.

    Please remove the file that you attached to your post. This is probably malware and we do not provide malware downloads here at howtoforge.

    To your second question: when an apache or nginx web server does not find a matching vhost for a request, then it will show the first website that is on the same IP, in alphabetical order. To show a specific website, just create a new website that is first in alphabet, the domain does not has to exist in dns. e.g. '000default.local'.
  3. craig baker

    craig baker Member HowtoForge Supporter

    I understand about the php but thought pureftp would upload into a different directory rather than the root of the website!
    after all if it uploads into /mybogus/hiddenname/upload folder at least the hacker would have to be guessing pretty good to figure out where his malware got uploaded! putting it into myurl/bogus.php makes it way to easy imho.
    can we get pureftpd to upload into something less - obvious?

    File deleted. it dam sure IS malicious but zipped up though someone might be able to decode it. I'm REALLY interested in what they were trying to do!

    thanks for default website filename I'll try it now :)
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The place where a file is uploaded is set by the FTP client and not server. The FTP client must be able to specify where to upload a file and to which folder inside the website it get's uploaded, otherwise you won't be able to upload websites or cms systems as they consist of folders and files in directories.
  5. craig baker

    craig baker Member HowtoForge Supporter

    most of my wordpress sites dont need ftp directly - and I've simply deleted the ftp users for them. and changed the passwords on the rest. I guess thats the best we can do without disabling ftp entirely!
    sorry for the silly post, I was just shocked that someone was able to guess the password clearly. Of course ftp has to default to the website root - or its entirely pointless.
    thanks for the help. and any idea where I could get this malware 'looked at'? I was hoping someone here might have experience de-obfuscating them (I tried some of the online sites and they are really not effective!)

Share This Page