URGENT: security fix for psa-proftpd?

[stupidnic]

Check the date stamp on the file in /usr/sbin/ named proftpd.

If the microupdate has been applied to the server, the date stamp should be November 11th 2010. If it is the older version it will be something like May 4th 2010.

 

[PietK]

How to stop FTP?

OK, this question sounds stupid, but i didn´t found a solution through google. I have plesk 9.23 running, so the patch for me will available tomorrow. So today i would like to shut down ftp for 60 Domains. But how?

 

[Marcel Zuidwijk]

Autoinstaller doesn't work (Plesk 9.5.3 and CentOS 5) and it gives this message:

.

solution?

That's exactly the same problem I have

 

[AndreasJ]

Autoinstaller doesn't work (Plesk 9.5.3 and CentOS 5) and it gives this message:

Do as it suggests: "Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system" -

do a

rpm -e --nodeps psa-proftpd-1.3.3c-2.el5.art.x86_64

and run autoinstaller again.

 

[MiguelG]

Do as it suggests: "Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system" -

do a

and run autoinstaller again.

Ok, i've removed the package using nodep and then executed the autoupdater in Plesk. But now proftpd -v says version 1.3.2 is this right? I still can't login to FTP...

 

[trialot]

Solution SUMMARY AND UPDATE - problems, older versions etc

i've updated also using yum upgrade psa-proftpd and now i can't login into my ftp. I've tried updating through the Plesk 9.5.3 panel the component 'Base packages of Plesk' but it fails due to a conflict with old version of proftpd, how can i solve this? My system is CentOS 5

Miguel,

the solution is relative simple (in this order, follow the steps):

1 - make sure that you have a proftpd file in /usr/sbin/
2 - make sure that the /usr/sbin/proftpd is NOT the one installed by the atomic upgrade (i.e. installed by yum upgrade psa-proftpd). For this, check the version with command: proftpd -v
3 - verify that version is some of this:
a) version 1.3.1 or smaller (without hotfixes),
b) 1.3.2e (with or without hotfix, due to some unfortunate naming by Parallels in the hotfix) or
c) 1.3.3c (when using an official release from the proftpd community).
4 - if version is not one of the above, then:
a) first issue the command: mv /usr/sbin/proftpd /usr/sbin/proftpd.art
b) download and compile a 1.3.3c release from proftpd community (compilation just by issuing the commands, 1) ./configure and 2) make install),
c) issue the command: cp [compilation directory]/proftpd to /usr/sbin/proftpd
5 - to be sure, issue the command: service xinetd restart
6 - go to /usr/local/psa/admin/sbin and run ./autoinstaller
7 - verify that it updates the hotfix when downloading and installing the updates
8 - to be sure, issue the command: proftpd -v
9 - verify that the proftpd version is 1.3.2e

NOTE: the version from step 9 is the psa-proftpd version number and not the proftpd version that is vulnerable. In fact, the psa-proftpd 1.3.2e is actually a compiled version of proftpd 1.3.3c, which is secure. No worries!!!
(Parallels made an unfortunate and confusing naming decision in the hotfix)

10 - final step: manually delete files installed by atomic upgrade (if required, since they are on the system without any function, so no worries here if they are left).

This should work for all forum members that encounter problems related to failures to upgrade to 9.5.3, applying the hotfix or removing "atomic upgrade".

Solution for older versions than 9.5.3:
- run steps 3 to 5
- if necessary or required, make symlinks for the /usr/bin/ftp*** files and link them to the [compilation directory]/ftp*** files (otherwise, issuing commands like ftpwho or ftpcount can yield error messages, due to the fact that the /var/run/proftpd/scoreboard file is of the newer version 1.3.3c)
- APPLY HOTFIX supporting your plesk version LATER, when it is delivered by Paralllels (should not give any problems)

REMARK: solution for versions older than 9.5.3. is a temp fix that also allows you to KEEP OPEN FTP service, WITHOUT being vulnerable to the security leak in older proftpd versions (not to be mistaken with psa-proftpd, the file compiled by Parallels).

Kind regards....

 

[MiguelG]

Thanks a lot, trialot; i think that i've the issue solved because proftpd -v returns 1.3.2e and also the file /usr/sbin/proftpd is:

746536 Nov 11 15:58

I can't test the ftp access from outside right now, because my provider has closed all 21 ports in all servers as security measure, i'm waiting for them to open again...

thanks!

 

[trialot]

Thanks a lot, trialot; i think that i've the issue solved because proftpd -v returns 1.3.2e and also the file /usr/sbin/proftpd is:

746536 Nov 11 15:58

I can't test the ftp access from outside right now, because my provider has closed all 21 ports in all servers as security measure, i'm waiting for them to open again...

thanks!

Naturally, your provider should have a look at this forum and thread and re-open the ftp service.

If there is a desperate need for ftp in the meantime, just contact me in private on this forum.

 

[HostaHost]

OK, this question sounds stupid, but i didn´t found a solution through google. I have plesk 9.23 running, so the patch for me will available tomorrow. So today i would like to shut down ftp for 60 Domains. But how?

Edit /etc/xinetd.d/ftp_psa and change the 1 in the enabled row to 0. Then run:

service xinetd restart

FTP should now be disabled.

 

[trialot]

Edit /etc/xinetd.d/ftp_psa and change the 1 in the enabled row to 0. Then run:

service xinetd restart

FTP should now be disabled.

If not wanting to apply your own proftpd (takes a minute at most) , it can do no harm shutting down ftp.

However, NO NEED to shut down ftp, see my previous post http://forum.parallels.com/showpost.php?p=428406&postcount=66

 

[thewolf]

Verify it yourself and check the version of psa-proftpd, versions 1.3.1 to 1.3.2e are sure to be vulnerable and versions of proftpd (not psa-proftpd) are vulnerable from 1.3.1 to 1.3.3c (if I am not mistaken, since the security gap was introduced in the versions after 10 november 2008 and hence in proftpd and psa-proftpd as of that time).

Plesk 9.3 ships with proftpd 1.3.1.

Are you sure the vulnerability also affects that version?

According to the bug report here http://bugs.proftpd.org/show_bug.cgi?id=3521, the vulnerability was introduced in proftpd 1.3.2rc3, so Plesk 9.3 should not be affected by it.

Can anyone confirm?

Thanks.

 

[trialot]

Plesk 9.3 ships with proftpd 1.3.1.

Are you sure the vulnerability also affects that version?

According to the bug report here http://bugs.proftpd.org/show_bug.cgi?id=3521, the vulnerability was introduced in proftpd 1.3.2rc3, so Plesk 9.3 should not be affected by it.

Can anyone confirm?

Thanks.

You are probably right, even though the bug has been present before, depending on the patches used in proftpd.

That is, depending on patches used by Parallels, in order to compile psa-proftpd.

Note that I was trying to reproduce the error, even with the unpatched/no-hotfix version of psa-proftpd, versions 1.3.1 to 1.3.2e.

Never succeeded in reproducing the error, which is essentially an overflow vulnerability and nothing more.

The least thing I can say, there is a 99,9% chance that psa-proftpd version 1.3.1 and a 99,99% chance that the hotfixed version 1.3.2e are not vulnerable to the overflow issue.

Rest assured.

To be 100% sure, just compile the 1.3.3c version of proftpd and use a symlink to your own proftpd version.

A small hint, when compiling your own psa alike file of proftpd, use proftpd --settings to extract the compilation settings and get as a close as possible to the psa-proftpd (version 1.3.2e) variant.

Kind regards.....

PS would be nice to have an explanation or a file with changes in source code from Parallels, wouldn't it?

 

[marco.saiu]

Debian / Ubuntu have this problem?

Hello i don't know if debian and ubuntu have this problem!!!

Please reply me, i server with fedora is under attack !!!

I don't kwno if i need stop all servers!

Thank's!

 

[JuergenW]

I´ve downloaded and installed the mircroupdate on our plesk 10 systems. But "proftpd -v" still returns version 1.3.3 and not 1.3.3c. How can we be 100% sure that the update was successfully installed?

 

[dune2312]

Do as it suggests: "Unable to proceed with the installation until the package psa-proftpd-1.3.3c-2.el5.art.x86_64 is removed from the system" -

do a

and run autoinstaller again.

I solve with this command to remove psa-proftpd : rpm -e --nodeps psa-proftpd-1.3.3c-2.el5.art

and run autoinstaller

 

[trialot]

Hello i don't know if debian and ubuntu have this problem!!!

Please reply me, i server with fedora is under attack !!!

I don't kwno if i need stop all servers!

Thank's!

Just reboot the server, that gives the system some time to resolve the underlying overflow problem when being attacked.

Also stops the unwanted copying of data, that can occur with telnet when proftpd is not hotfixed.

After the attack, shut down ftp_psa (see previous posts in this thread) and try to find and remove malicious software.

Also, after/before rebooting (required), block the original telnet port (since attackers now they can get you there) and reroute telnet (if needed at all) to a new port (a less obvious one).

You can stop current attack by disabling telnet ports, but the overflow requires reboot.

Kind regards.....

 

[horst rupp]

After the attack, shut down ftp_psa (see previous posts in this thread) and try to find and remove malicious software.

well, the recommended solution after a successfull hack is to reinstall the server from scratch because one can never be sure, that he found all planted backdoors. it takes some seconds with the right script to put 10 backdoors on a system, if you only find 9 the 1 backdoor can be used to plant another 10 backdoors. that's a very steep uphill battle, reinstall.

even if your servers doesn't host any sensitive data, someday the police might knock on your door because illegal software, movies, child pornography, ... can run through your system. now prove to them it wasn't you ...

 

[PSi_101]

Thank you Parallels for bringing out the patches relatively quickly.
And thank you Igor for being here to help with questions as always

 

[MiguelG]

well, the recommended solution after a successfull hack is to reinstall the server from scratch because one can never be sure, that he found all planted backdoors. it takes some seconds with the right script to put 10 backdoors on a system, if you only find 9 the 1 backdoor can be used to plant another 10 backdoors. that's a very steep uphill battle, reinstall.

even if your servers doesn't host any sensitive data, someday the police might knock on your door because illegal software, movies, child pornography, ... can run through your system. now prove to them it wasn't you ...

What kind of world is this? if that happens, they need to prove that you are guilty, not reverse. Please, don't be so tragical . Other than this, your advice was very reasonable if the server was attacked, you don't know what is hidden now into your data.

Thank you Parallels for bringing out the patches relatively quickly.
And thank you Igor for being here to help with questions as always

You are with ironic mode on, isn't it? because as far as i know parallels takes more than a week to offer a solution (and there is confusion with proftpd version numbers, among other problems) so, thanks but... no clapping hands. And Igor did not provided a lot of info here to solve our problems, just aseptical answers and no concrete intructions or steps to solve problems that were asked here.

Regards,

 

[marco.saiu]

Okay

Thank's for suggestion But i know ... My request is simple, i required a info i required information on which operating systems aflited of this bugs....

Regards...