• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

How to know hidden FTP account ?

N

NaSOnWeb

Basic Pleskian
Hi...
I Just realised that my web server has been hacked... I think it is for a warez FTP use...
I would like to know if there are some hidden FTP accounts on my server.

is it possible by SSH ?...

is there some FTP logs with all FTP activity on the server ? (where ? )


thank's a lot
 
Hello,

You can check FTP logs in : /usr/local/psa/var/log/xferlog : file, Also I will suggest you change all FTP and panel password of your hacked account. And install LMD (Linux Malware Detect) on your server and scan your whole server. Maybe any shell scripts is uploaded on your server and hacker is using that file to upload any files on your server.
 
thank's
The problem was an old vulnerability on plesk. All my accounts password has been changed, and the last plek update is ok now...
which is weird is that I do not have any tracks of FTP access on the warez files on my server...
the files was created in april but no tracks of activity ...
did you know how i can found tracks of this intrusion ? and above all, how can I list the accounts (FTP, ssh ...) on my server to verify if there is some hidden accounts

thank's
 
Hello,

You can find out all System Info (FTP Login info) from Pleak panel DB, Pelase try with the following command

Code: 
mysql -u admin -p`cat /etc/psa/.psa.shadow`

use psa;

And enter the following command you will get the all info of your user.

Code: 
select * from sys_users;
 
hi,
thank's a lot. It works and nothing bad in view...
So the last thing I would like to verify is the linux system accounts. (If I've understood , this command show me only FTP accounts)
is there a way ?
thank's
 
ok, I've found the command line

cut -f 1 /etc/passwd -d:
Click to expand...

here are my sys users... Do you see something strange ? thank's

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
libuuid
syslog
bind
sshd
mysql
psaadm
popuser
mhandlers-user
psaftp
sw-cp-server
alias
qmaild
qmaill
qmailp
qmailq
qmailr
qmails
hspc
sso
drweb
horde_sysuser
 
You must log in or register to reply here.

Similar threads

C
Issue Errors with Plesk scheduled backups
Replies
2
Views
352
cmartinez127
C
M
Resolved Additional FTP account shutting right down after opening (via FTP client)
2
Replies
21
Views
4K
trialotto
T
M
Issue Plesk update failing because of ftp in package lists?
Replies
6
Views
2K
mizar
mizar
O
Question How to setup a SFTP account in Plesk
Replies
4
Views
3K
Peter Debik
P
H
Issue Backup failing to connect to remote FTP server
Replies
5
Views
2K
Peter Debik
P
Back
Top