Hi, My three servers have been hacked these days. One (big) line of code habe been added at the end of some files (index, etc.) by some one or something ... This is the code : It seems (???) that this is a ftp problem. As long as mi 3 servers have been configured with Ubuntu 8.04 LTS, fully updated, with ISPConfig 2 (last version 2.2.35), i do admit that i am a bit confused with that... Here is some more news about this : - http://seoforums.org/site-optimization/118-script-gnu-gpl-try-window-onload-function-var.html THE BIG QUESTION : HOW-TO secure more ftp ? Must i change the paswords for now ? At last, i must say that all of my servers are configured according to "Ubuntu Perfect Server" from howtoforge.org.
You can try to use TLS with ProFTPd: http://www.howtoforge.com/setting-up-proftpd-tls-on-ubuntu-9.04-jaunty-jackalope And yes, I think it's a good idea to change passwords.
Hi ! Thanx ! I've used http://www.howtoforge.com/setting-up-proftpd-tls-on-ubuntu-9.04-jaunty-jackalope to configure my ProFTPd / ISPConfig 2 server ... But i can NOT connect to my server : proftpd tls 500 AUTH not understood If i comment out #Include /etc/proftpd_ispconfig.conf it connects BUT it can not list de repositories ... Anny idea ???
I don't know the exact switch on how to check which proftp modules are loaded. never the less you can check this, as there is a specific module that needs to be loaded for tls. I tried this on my debian machine some time ago, but did not get it working as there was no possibility to have this module loaded, as it seems that it does anyhow not exist in the debian version of proftpd. But independant of that, if the server was really hacked I would consider rebuilding the whole servers as you can never be sure whether a rootkit or similar was installed on your machine, so changing passwords would be no real help. Did you also check your machine with e.g. rkhunter?
I've seen this before, for me, it was a customer who used an illegal version of CuteFTP (used a file called patch.exe) which actually contained a keylogger, logged the login credentials, and could login straight away without any errors, added the code in ALL index.* files and logged off. install rkhunter and clamav and scan your disc for more infections .. because your websites will be reported as "deformed/malware" through firefox/google very fast.
