Security hole in FTP server version 1.0.36

Discussion in 'Developers' Forum' started by Karsten, Apr 11, 2015.

  1. Karsten

    Karsten New Member

    Maybe i have done something wrong, but i used the standard installation of ISPConfig.
    It works for one year without any problem.

    # cat /usr/local/ispconfig/interface/lib/config.inc.php | grep VERSION
    define('ISPC_APP_VERSION', '3.0.5.3');

    I described the details at Debian in this report:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782353
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The log excerpt shows only files from web6, are files placed into other websites as well?
    Are you still able to login with your ftp passwords, or did they get replaced?

    Btw: You use a really old ispconfig version that you should update. I dont think thats its related to this problem, but you should updates regularily to keep a secure setup.
     
  3. Karsten

    Karsten New Member

    1. Yes - there where files changed on other sites / users also
    2. The Login was still possible with the old passwords

    I did find also successfull logins from a guy located in America.
    So i mean this must be an exploit in the pure-ftpd server.

    Really old release?
    Should be the stable version one year ago.
    I updated it now to
    define('ISPC_APP_VERSION', '3.0.5.4p5');
    Is there such a big difference?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok. I just asked to ensure that the hacker did not just reset them in the mysql database. In any case, you should check the sys_datalog table in the dbispconfig database to see if there are any changes in the ftp:user table donw trough ispconfig that you are not aware of.

    Yes, one major plus 6 minor releases, so you left out 6 updates incl major new securirty features like the new security permission stack, the integrated ids system etc.
     
  5. Karsten

    Karsten New Member

    I could see no suspicious entries in the table sys_datalog.
    There is no entry regarding ftp before the day X of been hacked.

    The table ftp_user seems to be O.K.
    I see the 4 users that where defined and now disabled.
    But i stopped the FTP-server now.

    For your information:
    Someone tried to modify the php files of a jtl-shop.
    I think the target was to redirect customer data.
    It's not easy to say because the php files are encrypted with ioncube.
    But he did a bad job and the shop did not run any more - otherwise this hack would not get attention!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    If there is nothing suspicious in sys_datalog table, then the hack has most likely not been done trouh the ispconfig interface.

    I think the following possibilitys remain:

    1) The hacker got the password from somewhere: E.g. ftp connection without tls over a insecure network or a trojan on one of the desktop PC's that were used to connect to this server or the same password is used for a different service and that other service was compromised which resulted in a leakage of the password.
    2) The hacker got access to the dbispconfig mysql database somehow which contains the table that pure-ftpd uses for authentication purposes, so he could exchange the password in the ftp_user table, login and restore the old password right after that.
    3) Some kind of misconfiguration in pure-ftpd.
    4) A security hole in pure-ftpd.
     
  7. Karsten

    Karsten New Member

    I agree.

    There where handmade different passwords with upper and lower case and numbers.
    I think it was not an brutforce attack, because there is snort running. Maybe we can get more informations here?
    The system seems to be clean - every check for a rootkit fails and the checksums of all files are O.K.
    In the logs i could only see logins for the ftp accounts.

    3) You find the actual configuration in the Debian bug report.
    https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=40;filename=etc.pure-ftpd.tgz;att=1;bug=782353
    4) This is the best explanation for what has happened.
     

Share This Page