Plesk hacked websites hacked / proftpd ?

[AlbertCa]

Hello,

Yesterday ~30 of our servers have been hacked. Plesk is patched but it seems there's a new hack issue with proftpd http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=ProFTPD_vulnerabilities.html. Is anyone aware of this ? What can we do to determine how servers have been hacked ?

Thank you

 

[IgorG]

ProFTPD 1.3.3 and prior are prone to a vulnerability

On Plesk 11 for Debian, for example:

# cat /usr/local/psa/version
11.0.9 Debian 6.0 110120615.10

# dpkg -l | grep proftpd
ii psa-proftpd 1.3.4a-debian6.0.build110120606.18 ProFTPD -- Professional FTP Server.

 

[AlbertCa]

On one of my plesk server I'm running psa-proftpd-1.3.4a-1.el5.art (atomic install).

How can I upgrade proftpd on all my plesk servers if I'm runing plesk 8 to 10 ?

Thanks

 

[IgorG]

I think that you can just run on servers something like:

# rpm -Uvh ftp://path_to_source/psa-proftpd-1.3.4a-1.el5.art...rpm

 

[AlbertCa]

On one of my plesk server I'm running psa-proftpd-1.3.4a-1.el5.art (atomic install).

How can I upgrade proftpd on all my plesk servers if I'm runing plesk 8 to 10 ?

Thanks

psa-proftpd-1.3.4a-1.el5.art was hacked too I meant...

 

[IgorG]

psa-proftpd-1.3.4a-1.el5.art was hacked too I meant...

According to your link http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=ProFTPD_vulnerabilities.html this version (1.3.4) is not vulnerable.

 

[AlbertCa]

I think that you can just run on servers something like:

# rpm -Uvh ftp://path_to_source/psa-proftpd-1.3.4a-1.el5.art...rpm

Thank you, Is there an official Parallels' repo where I can find the latest proftpd package I can install for all my plesks ?

 

[Faris Raouf]

As Igor mentioned, the version of psa-proftpd that you are using (1.3.4a) is not vulnerable to the issues described in the page you linked to. The very latest problem mentioned on that page is for 1.3.3.

Although there is an 1.3.4b version of ProFTPd (the base package, not the Plesk-customised one), it does not incorporate any security fixes as far as I can see- only bugfixes.

There is also a 1.3.5RC1 but this is a big change and does not incorporate any security fixes that I know of. It was released on the 2nd of Januaty 2013.

This is not to say there are not any security issues fixes in them at all -- it is just that they aren't mentioned in the release notes.

See https://forums.proftpd.org/smf/index.php/board,7.0.html

So I think we need to look at why do you think proftpd was the source of the hack? There could be many other reasons. If you could possible explain in a bit more detail, we may be able to get closer to understanding what's going on.

 

[AlbertCa]

As Igor mentioned, the version of psa-proftpd that you are using (1.3.4a) is not vulnerable to the issues described in the page you linked to. The very latest problem mentioned on that page is for 1.3.3.

Although there is an 1.3.4b version of ProFTPd (the base package, not the Plesk-customised one), it does not incorporate any security fixes as far as I can see- only bugfixes.

There is also a 1.3.5RC1 but this is a big change and does not incorporate any security fixes that I know of. It was released on the 2nd of Januaty 2013.

This is not to say there are not any security issues fixes in them at all -- it is just that they aren't mentioned in the release notes.

See https://forums.proftpd.org/smf/index.php/board,7.0.html

So I think we need to look at why do you think proftpd was the source of the hack? There could be many other reasons. If you could possible explain in a bit more detail, we may be able to get closer to understanding what's going on.

Hello Faris,

Almost all servers are running proftpd 1.3.3... except one has also been hacked. I thought it was the proftpd because of the security alert I found. But there's maybe another hack in plesk or one of its components ?

What should I do ? Apply micro updates on all servers ?

Thanks

 

[Faris Raouf]

There was a significant vulnerability in Plesk that was discovered last year.

If you were not keeping your panel up to date, it is possible that this is what was used to gain access to it.

Take a look here:

http://kb.parallels.com/en/113457

http://kb.parallels.com/en/113448

http://kb.parallels.com/en/114396

*IF* (and I stress *IF*) this is the cause of your problem then you'll need to do a minimum of two things: Update to the latest MU and use the password reset scripts that you'll find linked to in the info in the KBs. Read through all the info carefully and decide the best course of action.

 

[Faris Raouf]

Also note that keeping your system updated via MUs will also make sure the latest Plesk-supplied psa-proftpd that's available for your version of Plesk will also be installed. I'm not saying it WASN'T proftpd that was the problem -- it is just that if the same thing happened on the 1.3.4a one then you don't have a common denominator and it is unlikely to be the cause.

 

[Faris Raouf]

Oh, wait. Are you saying that the only one that WASN'T hacked was running 1.3.4a? If so then...Hmmm...

Anyway, apply those MUs and get the latest everything! That's definitely a first step.

 

[Faris Raouf]

And you can get the Atomic 1.3.4.a from the Atomic repo.

http://www6.atomicorp.com/channels/atomic/

On that page you'll see instructions for enabling the repo as well:

wget -q -O - http://www.atomicorp.com/installers/atomic | sh

 

[AlbertCa]

Hello,

I had the confirmation that the hacker modified pages with the FTP.
Seems that he gained access on several server, so does parallels propose an upgrade for this package ?

psa-proftpd-1.3.2e-cos5.build95101209.05

What can I do ? resetting password may be unuseful because it won't explain how he got it before...

This is very critical...

 

[Faris Raouf]

Well...don't jump to conclusions.

If you did not secure your system by installing the MUs and your system was vulnerable then the bad guys will have been able to obtain all the usernames and passwords for all accounts.

If all your sites have been hacked, this is the most likely cause rather than a relatively obscure issue in proftpd.

If it was just one site, then most likely the customer has password-sniffing malware on their computer, or such malware was installed on a computer they used to login at some point (or used an insecure wifi access point or something).

Once again please note that I'm not saying it definitiely isn't this proftpd vulnerability that was the cause of the hack. It is just that I've never heard of anybody at all being compromised by this, but there are plenty of people I know of who were unfortunate enough to be affected by the vulnerability I mentioned.

Regarding upgrading to the latest psa-proftp, you do this through the Plesk updater (updated and upgrades link in the Tools menu) within your panel, which will pull down the latest version if need be. There has never been a need to manually install proftpd updates unless you need want to use components from a different repo (e.g. the atomic ones).

So, if you need a version like 1.3.4, install the atomic repo and get it from there. But keep in mind that the repo also includes updated php and mysql and other components you may not want. So you could just install what you want then disable the repo. HOWEVER, you will find that every time you install an MU, the latest Parallels-provided psa-proftpd files will be re-installed.

 

[AlbertCa]

Hello Faris,

Yes you're right, FTP is finally maybe not the key a colleague used it to correct pages.
I did run MU on all my servers but the hack occurred again today.

Any recommendation ?

Thank you for your help

 

[Faris Raouf]

Unless you change *all* the passwords using the password-changing script, and remove any nasty stuff that has been put on the websites (as well as the password changing script, the KBs I pointed to also have a bad stuff removing script but only for the type used widely at the time of the original vulnerability), it will keep getting hacked.

It is also possible that other bad stuff has been installed and needs to be found and removed, or that the compromise is something different to that mentioned in the KB (for example, via an OS application that has not been updated) or ...well...it could be lots of things unfortunately :-( I know I'm not being much help. But changing all the passwords is absolutely necessary, then scanning the entire system for nasrty things.

Use rkhunter for rootkits and clamav for a general system scan for malware.

 

[HostaHost]

On Plesk 11 for Debian, for example:

# cat /usr/local/psa/version
11.0.9 Debian 6.0 110120615.10

# dpkg -l | grep proftpd
ii psa-proftpd 1.3.4a-debian6.0.build110120606.18 ProFTPD -- Professional FTP Server.

So are you saying that proftpd 1.3.3e that is still installed and distributed by Plesk 10.4.4 is vulnerable?

 

[Faris Raouf]

To my *untrained* eye, and if I'm following the correct links from the page the OP posted, the out of the box 1.3.3 has a bug in it that could cause some trouble, but ONLY if the attacker has local (e.g. ssh) access to the filesystem in question as well as ftp access to the same files, AND even then only under certain conditions. I have not read the entire thread discussing the issue, however.

Incidentally, CVE-2012-6095 implies that it is all versions below 1.3.5rc1 but is also marked "under review".

At this stage I do not see anything to worry about. Otherwise I have no doubt there would have been a lot of noise about this both here and on other forums I visit.

I'm sure the parallels devs have their eye on this.