help : ftp accepts any password !

[Alex M2]

Hi All ...

One of my friends asked me to check his server because a page of his website was modified and someone putted a trojan dl link ..
after checking logs I found out that hacker simply logged with ftp ..
first I thought that was a brute force but ftp password was strong enough! ( like this : #G}C*1dzSg?U )
I changed the pass and tried to login with new pass and everything was ok but when I tried with the old pass I was able to login too !
I was able to login with empty or even any word to the ftp But I had to know the real username .. this methods is working in all accounts :\

as I am not familiar with plesk I didn't find the issue ..
temporary I limited the ftp to certain ips ( as its not a hosting server we don't have problem with this )

can anybody help me to resolve this problem ?

Thanks

 

[Amin Taheri]

make sure to check your config file - /etc/ftpusers

it should look somethign like this

#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
#ServerType standalone
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
PassivePorts 5500 6000
</Global>
DefaultTransferMode binary
UseFtpUsers on

TimesGMT off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

#Scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
GroupOwner psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile /etc/group

The really important parts are these lines

AuthPAM on
AuthPAMConfig proftpd

AuthGroupFile /etc/group


Then in PAM check to see if its still enabled

cat /etc/pam.d/proftpd

#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
#session required pam_stack.so service=system-auth
session required pam_permit.so

 

[Alex M2]

Thanks Amin but I configuration is exactly the same that you pasted here ...

I found following message in the logs , I hope it helps :

Jul 16 09:09:53 p2379518 proftpd: Deprecated pam_stack module called from service "proftpd"

no other log or error ...

 

[Amin Taheri]

if you do
tail -f /var/log/secure

and then try and login what displays in the log?

 

[Alex M2]

if you do
tail -f /var/log/secure

and then try and login what displays in the log?

log output :

Jul 19 16:13:18 p2379518 proftpd: Deprecated pam_stack module called from service "proftpd"
Jul 19 16:13:18 p2379518 last message repeated 2 times
Jul 19 16:13:18 p2379518 proftpd[30762]: [SERVER_HOST_NAME] ([CLIENT_IP]) - USER [FTP_USERNAME]: Login successful.
Jul 19 16:13:18 p2379518 proftpd[30762]: [SERVER_HOST_NAME] ([CLIENT_IP]]) - Preparing to chroot to directory '/var/www/vhosts/[DOMAIN]'