• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Logs and proFtpd

J

JuanCar

Regular Pleskian
Server operating system version
Almalinux 9.4
Plesk version and microupdate number
Plesk Obsidian 18.0.62 #1
Hello
Some days ago somebody upload a file to my domain, I didn't know how the guy made it, so I am exploring logs.
I found the upload in xferlog, it was made from an unknown IP, so I suspect the the guy broke my password or the proftpd server (how?)

Then looking in message and secure logs I've found something I can't understand. It's about users opening proftp sessions, it looks like there are two users: one for session and one for proftpd
I have a domain and several subdomains. Every domain has its own user for ftp access.
Reading this logs you can see that in secure log appears one user in systemd-user:session (some domains has not his line), and messages log shows just session user.
I wonder why? I suppose that both logs should show the ftp_user
When I open a ftp connection from any subdomain or from the main domain I get :

secure log file:
Jul 31 18:37:01 myservername systemd[2757962]: pam_unix(systemd-user:session): session opened for user other_user_name(uid=10004) by other_user_name(uid=0)
Jul 31 18:37:01 myservername proftpd[2757954]: pam_unix(proftpd:session): session opened for user ftp_user(uid=10004) by (uid=0)

message log file
Jul 31 18:37:01 myservername systemd[1]: Started ProFTPD FTP Server (xxx.xxx.xxx.xxx:48303).
Jul 31 18:37:01 myservername systemd-logind[701]: New session c1586 of user other_user_name.
Jul 31 18:37:01 myservername systemd[1]: Created slice User Slice of UID 10004.
Jul 31 18:37:01 myservername systemd[1]: Starting User Runtime Directory /run/user/10004...
Jul 31 18:37:01 myservername systemd[1]: Finished User Runtime Directory /run/user/10004.
Jul 31 18:37:01 myservername systemd[1]: Starting User Manager for UID 10004...
Jul 31 18:37:01 myservername systemd[2757962]: Queued start job for default target Main User Target.
Jul 31 18:37:01 myservername systemd[2757962]: Created slice User Application Slice.
Jul 31 18:37:01 myservername systemd[2757962]: Started Mark boot as successful after the user session has run 2 minutes.
Jul 31 18:37:01 myservername systemd[2757962]: Started Daily Cleanup of User's Temporary Directories.
Jul 31 18:37:01 myservername systemd[2757962]: Reached target Paths.
Jul 31 18:37:01 myservername systemd[2757962]: Reached target Timers.
Jul 31 18:37:01 myservername systemd[2757962]: Starting D-Bus User Message Bus Socket...
Jul 31 18:37:01 myservername systemd[2757962]: Starting Create User's Volatile Files and Directories...
Jul 31 18:37:01 myservername systemd[2757962]: Listening on D-Bus User Message Bus Socket.
Jul 31 18:37:01 myservername systemd[2757962]: Reached target Sockets.
Jul 31 18:37:01 myservername systemd[2757962]: Finished Create User's Volatile Files and Directories.
Jul 31 18:37:01 myservername systemd[2757962]: Reached target Basic System.
Jul 31 18:37:01 myservername systemd[2757962]: Reached target Main User Target.
Jul 31 18:37:01 myservername systemd[2757962]: Startup finished in 88ms.
Jul 31 18:37:01 myservername systemd[1]: Started User Manager for UID 10004.
Jul 31 18:37:01 myservername systemd[1]: Started Session c1586 of User other_user_name.

Thanks
 
Hi,
when I realized that someone used my ftp account to upload a file to my server without authoritation, I changed the name and pass of the subscription owner (the owner of the domain), but now all the folders and files in my domain has another user as owner (the other_user_name in my post). Plesk changed the old owner by another one instead of change the name of folders and files owners.
Is there any way to reset the owner of all my domain and subdomains?
The command chown new_user:group subdomain_folder doesn't work, although it doesn't show any error.
Thanks
 
I guess you have FTP user(s) in the domain's settings (https://docs.plesk.com/en-US/obsidi...to-your-websites/adding-ftp-accounts.65153/); they use the same user_id as a user who owns the file to avoid any permission issues. Based on the logs you provided, the ID is "10004". It also means that everything with the owner of the domain/subdomain is ok. Anyway, if you have backups, it makes sense to restore data from the backups.

Here is a small example from my test server to show how you could check this guess on your server,
root@panel:~# cat /etc/passwd | grep ftptest
ftptest1:x:10015:1005::/var/www/vhosts/example.org:/bin/false
ftptest2:x:10015:1005::/var/www/vhosts/example.org:/bin/false

root@panel:~# grep 10015 /etc/passwd
example.org_rml0af4imc:x:10015:1005::/var/www/vhosts/example.org:/bin/false
ftptest1:x:10015:1005::/var/www/vhosts/example.org:/bin/false
ftptest2:x:10015:1005::/var/www/vhosts/example.org:/bin/false
root@panel:~#
Click to expand...
 
Thanks,
Yes I know the ftp users have the same id. What I want is to choose which of these users appears as owner of folders and files in my domain.
Example I have three ftp users: ftpuser-1, ftpuser-2, siteowner. All have same ID 1004, but the last one appears in Plesk as subscription owner.
When I do ls -lha mydomain i get lines like
drwxr-x---. 10 ftp-user-2 psaserv 4.0K Jul 1 00:22 httpdocs
And what I want is
drwxr-x---. 10 siteowner psaserv 4.0K Jul 1 00:22 httpdocs
An more, in logs (secure, message) plesk use ftp-user-2 instead of siteowner
Is it possible to reset Plesk so siteowner appears instead of ftpuser-2?
Thanks
 
It depends on how Linux (not Plesk) works with users, id, files, etc.
Anyway, it could be changed (have checked on my VM) via reorder records in the `/etc/passwd` file.

With `ls -lan` you will see the real ids of owner/group (in my example, it is "example.org_rml0af4imc". After reordering, the record "ftptest1" going first, `ls -la` shows a different owner,
Code: 
root@panel:/var/www/vhosts/example.org# ls -lan
total 28
drwx--x---  7 10015 1004 4096 Jun 26 03:17 .
drwxr-xr-x 13     0    0 4096 Jul 24 17:51 ..
drwxr-xr-x  3 10015 1005 4096 Jun 26 03:17 .wp-cli
drwxr-xr-x  2 10015 1005 4096 Mar  6 10:54 error_docs
drwxr-x---  5 10015 1004 4096 Jul 24 03:18 httpdocs
drwx------  2 10015    0 4096 Aug  1 06:27 logs
drwx------  2 10015 1005 4096 Jun 25 15:20 wordpress-backups

root@panel:/var/www/vhosts/example.org# vi /etc/passwd
[...reordering lines in the file...]

root@panel:/var/www/vhosts/example.org# ls -la
total 28
drwx--x---  7 ftptest1 psaserv 4096 Jun 26 03:17 .
drwxr-xr-x 13 root     root    4096 Jul 24 17:51 ..
drwxr-xr-x  3 ftptest1 psacln  4096 Jun 26 03:17 .wp-cli
drwxr-xr-x  2 ftptest1 psacln  4096 Mar  6 10:54 error_docs
drwxr-x---  5 ftptest1 psaserv 4096 Jul 24 03:18 httpdocs
drwx------  2 ftptest1 root    4096 Aug  1 06:27 logs
drwx------  2 ftptest1 psacln  4096 Jun 25 15:20 wordpress-backups
 
Last edited:
You must log in or register to reply here.

Similar threads

L
Question Many log-entrys after update to Debian 12 and Plesk 18.0.61
Replies
2
Views
367
Larian
L
C
Resolved Mariadb not working - DB query failed: SQLSTATE[HY000] [2002] No such file or directory
Replies
7
Views
1K
Crash79797
C
D
Issue logrotate service fail, plesk-ext-monitoring-hcd.service
Replies
2
Views
742
daniellee100
D
R
Plesk Random Crashes every few days 1-3 days
2
Replies
20
Views
3K
Coderra Ltd
C
H
Question MariaDB doesn't start after upgrade
Replies
3
Views
621
Kaspar@Plesk
Kaspar@Plesk
Back
Top