• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

How to know hidden FTP account ?

N

NaSOnWeb

Basic Pleskian
Hi...
I Just realised that my web server has been hacked... I think it is for a warez FTP use...
I would like to know if there are some hidden FTP accounts on my server.

is it possible by SSH ?...

is there some FTP logs with all FTP activity on the server ? (where ? )


thank's a lot
 
Hello,

You can check FTP logs in : /usr/local/psa/var/log/xferlog : file, Also I will suggest you change all FTP and panel password of your hacked account. And install LMD (Linux Malware Detect) on your server and scan your whole server. Maybe any shell scripts is uploaded on your server and hacker is using that file to upload any files on your server.
 
thank's
The problem was an old vulnerability on plesk. All my accounts password has been changed, and the last plek update is ok now...
which is weird is that I do not have any tracks of FTP access on the warez files on my server...
the files was created in april but no tracks of activity ...
did you know how i can found tracks of this intrusion ? and above all, how can I list the accounts (FTP, ssh ...) on my server to verify if there is some hidden accounts

thank's
 
Hello,

You can find out all System Info (FTP Login info) from Pleak panel DB, Pelase try with the following command

Code: 
mysql -u admin -p`cat /etc/psa/.psa.shadow`

use psa;

And enter the following command you will get the all info of your user.

Code: 
select * from sys_users;
 
hi,
thank's a lot. It works and nothing bad in view...
So the last thing I would like to verify is the linux system accounts. (If I've understood , this command show me only FTP accounts)
is there a way ?
thank's
 
ok, I've found the command line

cut -f 1 /etc/passwd -d:
Click to expand...

here are my sys users... Do you see something strange ? thank's

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
libuuid
syslog
bind
sshd
mysql
psaadm
popuser
mhandlers-user
psaftp
sw-cp-server
alias
qmaild
qmaill
qmailp
qmailq
qmailr
qmails
hspc
sso
drweb
horde_sysuser
 
You must log in or register to reply here.

Similar threads

C
Issue Errors with Plesk scheduled backups
Replies
2
Views
262
cmartinez127
C
M
Resolved Additional FTP account shutting right down after opening (via FTP client)
2
Replies
21
Views
3K
trialotto
T
M
Issue Plesk update failing because of ftp in package lists?
Replies
6
Views
1K
mizar
mizar
O
Question How to setup a SFTP account in Plesk
Replies
4
Views
3K
Peter Debik
P
H
Issue Backup failing to connect to remote FTP server
Replies
5
Views
2K
Peter Debik
P
Back
Top