On 04/10/2015 09:10 PM, Karsten Malcher wrote:
> Package: pure-ftpd-common
> Version: 1.0.36-1.1
> Severity: important
>
> Hello,
>
> i am using this FTP server combined with ISPConfig 3.
>
> 3 days ago every ftp account was totally hacked!
> Some guys in Estonia, Harjumaa, Tallinn and China have modified files from
> the webserver.
> It seems they have got access to every FTP user!
>
> There are no trivial passwords for the FTP-user.
>
> I deactivated the FTP server now.
>
> Here are some examples i found in /var/log/messages:
>
> Apr 6 18:42:46 vmanager1519 pure-ftpd:
> ([email protected]) [NOTICE]
> /var/www/clients/client0/web6//web/index.php uploaded (8007 bytes,
> 69.99KB/sec)
> Apr 6 18:42:46 vmanager1519 pure-ftpd:
> ([email protected]) [NOTICE]
> /var/www/clients/client0/web6//web/jtl.php downloaded (57438 bytes,
> 712.09KB/sec)
> Apr 6 18:42:47 vmanager1519 pure-ftpd:
> ([email protected]) [NOTICE]
> /var/www/clients/client0/web6//web/jtl.php uploaded (57632 bytes,
> 279.30KB/sec)
> Apr 6 18:42:47 vmanager1519 pure-ftpd: ([email protected])
> [NOTICE]
> /var/www/clients/client0/web9//web/jtl-shop3-test.php downloaded (4492
> bytes, 235.30KB/sec)
> Apr 6 18:42:47 vmanager1519 pure-ftpd:
> ([email protected]) [NOTICE]
> /var/www/clients/client0/web6//web/kontakt.php downloaded (5158 bytes,
> 67070.37KB/sec)
>
Hello Karsten,
we need more information to conclude this is really a security hole in Pure-FTP.
Which authentication methods are allowed? Can you send me the contents of the
/etc/pure-ftpd directory?
Regards
Racke
>
>
> -- System Information:
> Debian Release: 7.8
> APT prefers proposed-updates
> APT policy: (500, 'proposed-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.12.9-xen (SMP w/2 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages pure-ftpd-common depends on:
> ii debconf [debconf-2.0] 1.5.49
> ii libpam-modules 1.1.3-7.1
> ii perl-modules 5.14.2-21+deb7u2
>
> Versions of packages pure-ftpd-common recommends:
> ii pure-ftpd-mysql [pure-ftpd] 1.0.36-1.1
>
> pure-ftpd-common suggests no packages.
>
> -- debconf information:
> pure-ftpd/ftpwho-setuid: false
> pure-ftpd/saved-inetd-config:
> pure-ftpd/standalone-or-inetd: standalone
> pure-ftpd/virtualchroot: false
> pure-ftpd/minuid:
> pure-ftpd/config-obsolete-note:
>
--
Modern Perl, Dancer and eCommerce consulting.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]