URGENT: security fix for psa-proftpd?

[LuisN]

I see the instructions at http://www.parallels.com/products/plesk/ProFTPD have been updated. Per the instructions, I ran the following command:
autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

I see the following at the end of the output:
Installing patches...
File downloading PSA_9.5.3/microupdates/MU1/dist-rpm-CentOS-5-i386/proftpd: was skipped because of md5 checksum match.

Does this mean (a) that the updated file is already installed on my system or (b) something is wrong with the patch and the process is aborting?

 

[TeunisR]

This vulnerability is actively used.
I am using Plesk 9.5. This week my server was hacked twice, both times i found a doubtfull ftp-connection in the logfiles shortly before the hack took over my server (running hundreds of processes using the root account).
For the moment i block all incoming trafic at port 21 which effectively blocks all FTP connectios.
We really need a fix for this problem.

Regards, Teunis.

 

[IgorG]

http://kb.odin.com/en/9294

 

[trialot]

Rounding up - Advise

Forum members,

One of the other participants hinted me something, concerning the logs of (in my case, attempted) hacks.

Even though firewall should block attempts from "malicious" IP's and domains, there is the issue that the firewall should be updated.

Every now and then security issues arise, resulting in new attempts to hack and hence requiring new updates of firewall rules.

The hotfix delivered by parallels should suffice, but also add all attempted proftpd hacks (i.e. originating IP addresses) to the firewall rules, preferably with the rule: "block IP on all ports".

Note: this can imply that genuine hosting providers are also being blocked, but then again, if their system is insecure and allows for a traversal of hacks.......just block them and report the issue to the hosting provider. Helps them too.

Kind regards.....

 

[Roy Boverhof]

Why do not want upgrade this very-very old Plesk version?

I have the same problem, one of my plesk machines is still running on Plesk 8.2.1 , the update page doesn't show any higher versions... kind weird because in 9.5.3 I do see plesk 10 versions. (allthough I can't upgrade to 10.x because I use PBAS and this doesn't support Plesk 10 yet)

/usr/sbin/proftpd -v show that I have ProFTPD Version 1.3.0 on this machine, is this version also vulnerable to the exploit?

 

[Jonas21]

@Roy: No but proftpd 1.3.0 is vulnerable to a different exploit (which requires login creditials) which also gives root. You should update (either plesk or compile proftpd yourself).

All in all this situation is ridicoulus. It took parallels a extremly long time to get this fixed. I already talked to our sales resp as well as Mr. Hueneke (formerly CEO). We are Parallels Gold partner and will be looking if we can still offer Plesk to our customers. The incident management of Parallels really needs a freshup....10+days for a 0-day remote root exploit fix is nowhere near acceptable.
Also some of my posts here have been moderated as it seems (i have posted the vulnerability exploit earlier...the post was never published). This has also been taken to my discussions. We will have a meeting with Parallels soon where we will address all this.

Regards,
Jonas Frey
Probe Networks

 

[Roy Boverhof]

@Roy: No but proftpd 1.3.0 is vulnerable to a different exploit (which requires login creditials) which also gives root. You should update (either plesk or compile proftpd yourself).

Thanks Jonas, fortunately this server runs only a few domains of which I know all the owners... so I guess I don't have to worry about it.

At the moment I have a bigger problem with an older Plesk machine running 9.3.0 , I tried updating it but everytime it dies during the update process:

Downloading the file PSA_9.3.0/dist-rpm-CentOS-5-i386/opt/maildrivers/psa-mail-qc-driver-1.0.0-cos5.build93100518.16.i586.rpm: 10%..20%..30%..40%..50%..60%..70%..80%..90%..100% done.
Starting installation of packages
Installing the package psa-mail-qc-driver-1.0.0-cos5.build93100518.16.i586
error: unpacking of archive failed on file /usr/local/psa/etc/modules/watchdog/service.tpl.d/qmail;4cdd5ae9: cpio: mkdir failed - No such file or directory
ERROR: An error occurred during installation of packages.
Attention! Your software might be inoperable.
Please, contact product technical support.

 

[Jonas21]

@Roy: try installing that rpm manually (rpm -Uvh file.rpm)
Otherwise just try creating that directory.
If that doesnt work, try to find out which directory structure this rpm uses. This can be done by unpacking the rpm (not installing):
rpm2cpio file.rpm | cpio -idmv

 

[Roy Boverhof]

@Roy: try installing that rpm manually (rpm -Uvh file.rpm)
Otherwise just try creating that directory.
If that doesnt work, try to find out which directory structure this rpm uses. This can be done by unpacking the rpm (not installing):
rpm2cpio file.rpm | cpio -idmv

Thanks, I actually just found the solution. It seems the following directory caused all the problems:

? ?--------- ? ? ? ? ? watchdog

I logged in to the hardware node and I was able to remove this directory (and the underlying virtuozzo link)... after I did this I ran the autoinstaller again and it upgraded everything and installed the patch.

Looks like my systems are safe again

 

[LuisN]

I see the instructions at http://www.parallels.com/products/plesk/ProFTPD have been updated. Per the instructions, I ran the following command:
autoinstaller --select-product-id plesk --select-release-current --reinstall-patch --install-component base

I see the following at the end of the output:
Installing patches...
File downloading PSA_9.5.3/microupdates/MU1/dist-rpm-CentOS-5-i386/proftpd: was skipped because of md5 checksum match.

Does this mean (a) that the updated file is already installed on my system or (b) something is wrong with the patch and the process is aborting?

Does anyone have any advice on this?

 

[Roy Boverhof]

Does anyone have any advice on this?

Have a look at /root/.autoinstaller/microupdates.xml , this should contain:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="9.5.3">
<patch version="1" timestamp="" />
</product>
</patches>

Apparently the version number stays at 1.3.2e if you run:

/usr/sbin/proftpd -v
ProFTPD Version 1.3.2e

 

[Jonas21]

@LuisN: b), the file was downloaded but the m5sum (checksum) of the downloaded file does not match.
Probably there was an error, the file was not downloaded completly or is somehow corrupted. Try deleting the file and run the autoinstaller again.

 

[IgorG]

@Roy: No but proftpd 1.3.0 is vulnerable to a different exploit (which requires login creditials) which also gives root. You should update (either plesk or compile proftpd yourself).

All in all this situation is ridicoulus. It took parallels a extremly long time to get this fixed. I already talked to our sales resp as well as Mr. Hueneke (formerly CEO). We are Parallels Gold partner and will be looking if we can still offer Plesk to our customers. The incident management of Parallels really needs a freshup....10+days for a 0-day remote root exploit fix is nowhere near acceptable.
Also some of my posts here have been moderated as it seems (i have posted the vulnerability exploit earlier...the post was never published). This has also been taken to my discussions. We will have a meeting with Parallels soon where we will address all this.

Regards,
Jonas Frey
Probe Networks

Did you see it?
http://www.parallels.com/products/plesk/ProFTPD

 

[PersianC]

Miguel,

the solution is relative simple (in this order, follow the steps):

1 - make sure that you have a proftpd file in /usr/sbin/
2 - make sure that the /usr/sbin/proftpd is NOT the one installed by the atomic upgrade (i.e. installed by yum upgrade psa-proftpd). For this, check the version with command: proftpd -v
3 - verify that version is some of this:
a) version 1.3.1 or smaller (without hotfixes),
b) 1.3.2e (with or without hotfix, due to some unfortunate naming by Parallels in the hotfix) or
c) 1.3.3c (when using an official release from the proftpd community).
4 - if version is not one of the above, then:
a) first issue the command: mv /usr/sbin/proftpd /usr/sbin/proftpd.art
b) download and compile a 1.3.3c release from proftpd community (compilation just by issuing the commands, 1) ./configure and 2) make install),
c) issue the command: cp [compilation directory]/proftpd to /usr/sbin/proftpd
5 - to be sure, issue the command: service xinetd restart
6 - go to /usr/local/psa/admin/sbin and run ./autoinstaller
7 - verify that it updates the hotfix when downloading and installing the updates
8 - to be sure, issue the command: proftpd -v
9 - verify that the proftpd version is 1.3.2e

NOTE: the version from step 9 is the psa-proftpd version number and not the proftpd version that is vulnerable. In fact, the psa-proftpd 1.3.2e is actually a compiled version of proftpd 1.3.3c, which is secure. No worries!!!
(Parallels made an unfortunate and confusing naming decision in the hotfix)

10 - final step: manually delete files installed by atomic upgrade (if required, since they are on the system without any function, so no worries here if they are left).

This should work for all forum members that encounter problems related to failures to upgrade to 9.5.3, applying the hotfix or removing "atomic upgrade".

Solution for older versions than 9.5.3:
- run steps 3 to 5
- if necessary or required, make symlinks for the /usr/bin/ftp*** files and link them to the [compilation directory]/ftp*** files (otherwise, issuing commands like ftpwho or ftpcount can yield error messages, due to the fact that the /var/run/proftpd/scoreboard file is of the newer version 1.3.3c)
- APPLY HOTFIX supporting your plesk version LATER, when it is delivered by Paralllels (should not give any problems)

REMARK: solution for versions older than 9.5.3. is a temp fix that also allows you to KEEP OPEN FTP service, WITHOUT being vulnerable to the security leak in older proftpd versions (not to be mistaken with psa-proftpd, the file compiled by Parallels).

Kind regards....

Hello trialot,

I did what you said and get Connection close once I try to telnet and test it.
I see this error in syslog:

Nov 13 13:39:20 server1 proftpd[8938]: Fatal: unknown configuration directive 'AuthPAM' on line 59 of '/etc/proftpd.conf'

my plesk is 9.3. any suggestion?

 

[LeandroG]

Hi everyone,



All this version naming style is really strange, because I was running Proftpd 1.3.2e (running Centos 5 32bits) and got both my servers knocked out!!! With all the bad already done... I decided to migrate my systems to 64 bits version, performed all security updates and patches / fixes ... everything... and the proftpd still says:

$ ls -l /usr/sbin/proftpd 
-rwxr-xr-x 1 root root 754416 Nov 13 02:00 /usr/sbin/proftpd

$ /usr/sbin/proftpd -v
ProFTPD Version 1.3.2e

This means the 64bits version still doesnt have a hot fix?

Best Regards,
Leandro

 

[Jonas21]

Your proftpd binary is dated Nov 13. So its fixed.

$ ls -l /usr/sbin/proftpd 
-rwxr-xr-x 1 root root 754416 Nov 13 02:00 /usr/sbin/proftpd

$ /usr/sbin/proftpd -v
ProFTPD Version 1.3.2e

This means the 64bits version still doesnt have a hot fix?

Best Regards,
Leandro

 

[LeandroG]

Hi,

You better not trust that assumption, because the Nov 13 is the date when the file was created in file system...

Cheers

 

[LuisN]

Have a look at /root/.autoinstaller/microupdates.xml , this should contain:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<patches>
<product id="plesk" version="9.5.3">
<patch version="1" timestamp="" />
</product>
</patches>

Apparently the version number stays at 1.3.2e if you run:

/usr/sbin/proftpd -v
ProFTPD Version 1.3.2e

Thanks. My microupdates.xml file looks exactly like this.

My version does too....I have to admit the version number thing is really confusing....I wouldn't be surprised if this number really should be updated and that I'm still using the old version. It would be *really* nice if Parallels would confirm the proper version string on their ProFTPD page (http://www.parallels.com/products/plesk/ProFTPD).

 

[LuisN]

@LuisN: b), the file was downloaded but the m5sum (checksum) of the downloaded file does not match.
Probably there was an error, the file was not downloaded completly or is somehow corrupted. Try deleting the file and run the autoinstaller again.

I renamed the file and tried running the autoinstaller again but it responded with:

You already have the latest version of product(s) and all selected components
installed. Installation will not continue.

 

[LuisN]

Hi,

You better not trust that assumption, because the Nov 13 is the date when the file was created in file system...

Cheers

I was just about to reply with the observation that my file's timestamp is the time I ran the autoinstaller.