1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

ftp_scanner installed by user test?

Discussion in 'Plesk for Linux - 8.x and Older' started by baden32, Nov 17, 2007.

  1. baden32

    baden32 Guest

    I get some trouble on my Suse server using Plesk:
    A process ftp_scanner1 was installed and is running.

    It has been installed under "/tmp/ egg" and was owned by user "test".

    As I never configured the user test on my system (however it is listed in the /etc/passwd file), I have 2 questions:

    1. where this user is comming from and how to remove it from the system (is it ok to just remove the line in /etc/passwd file)?

    2. what should I do in order to completely remove the "installation" of the virus ftp_scanner?

    Thank you in advance for your help.
  2. Monica@

    Monica@ Guest


    The user can be added/removed with
    adduser / userdel. Execute
    userdel test
    If for some reason it cannot be removed it is also possible to remove the line in /etc/passwd.

    But first you should kill all the processes which are running from the name of that user. use ps aux or lsof to get to know the info about the process and kill -9 to stop it.

    Check the system with rkhunter, http://www.rootkit.nl/projects/rootkit_hunter.html
    for example, probably there's also another exploits installed.

    It's hard to say how the exploit can be removed, as it is necessary to get to know how it was installed, if it's compiled from sources (most probably), then it's necessary to remove the files manually with "rm".
  3. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC