ioDaniel
Verified User
Hi
Background (Sorry if this is too detailed).
I asked for help a couple of weeks ago after our Server IP was hacked and abused by a SPAMMER and we got blacklisted by Abuseat as well as Yahoo.
We manage the server with the following: DirectAdmin 1.33.1 - Apache 2.2.6, Centos, Exim 4.67, MySQL 5.0.37, ProFTPd 1.3.1 ...) I have been fixing the problem (thanks Jeff), as well as looking at how to prevent the problem in future.
Much as I would like to install a Firewall, the combination of DirectAdmin version, Centos and Apache, mean this is not an option at the moment.
The next issue is to resolve the FTP problem that Jeff outlined in his detailed reply. I have gone through all the sites we host and changed:
* Control Panel and FTP passwords.
* Re-checked all local PC's for Trojans, Virus's etc (something we do rigorously anyway).
*Checked logs (I know the IP and URL where the spammer is coming through, but this is probably just another jump of many to get to us.
*Cleaned all infected sites (both the Iframe as well as SQL injection) - more than once while we did the next step.
*Re-written a new Authentication sequence to reinforce web forms, login pages and so on...
I then started to look at FTP and found that the FTP module included with DirectAdmin is itself a problem. I quote:
02/20/09
CVE 2009-0542
A vulnerability exists in ProFTPD that could be exploited by remote attackers to conduct SQL injection attacks on the server. This flaw is due to improper validation of a user-supplied username string before being used in an SQL query. A remote unauthenticated attacker can trigger this vulnerability by sending a malicious username to the target ProFTPD server and gain the privileges of a legitimate user.
and an older aler:
10/03/08
CVE 2008-4242
The ProFTPD 1.3.1 and prior is prone to a security vulnerability, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command.
We are using ProFTPD 1.3.1 and I can see there is an update available:
1.3.2 released
[5/Feb/2009]
The ProFTPD Project team is happy to release 1.3.2 to the community. This is a bugfix release, including a SQL injection vulnerability fix. The RELEASE_NOTES and NEWS files contain the full details.
The Question
Since most of the problem we had and have, is to do with managing server access, my question is, has anyone upgraded ProFTP in DirectAdmin (I am a new user of DirectAdmin (and learning fast). Not a pro..my background is really about operations and admin, not managing a web server, programming etc....)?
Can any one please please advise me the steps to take for upgrading and if possible, the commands...I do have root access...
My genuine thanks in advance
Daniel
IO Wow
Background (Sorry if this is too detailed).
I asked for help a couple of weeks ago after our Server IP was hacked and abused by a SPAMMER and we got blacklisted by Abuseat as well as Yahoo.
We manage the server with the following: DirectAdmin 1.33.1 - Apache 2.2.6, Centos, Exim 4.67, MySQL 5.0.37, ProFTPd 1.3.1 ...) I have been fixing the problem (thanks Jeff), as well as looking at how to prevent the problem in future.
Much as I would like to install a Firewall, the combination of DirectAdmin version, Centos and Apache, mean this is not an option at the moment.
The next issue is to resolve the FTP problem that Jeff outlined in his detailed reply. I have gone through all the sites we host and changed:
* Control Panel and FTP passwords.
* Re-checked all local PC's for Trojans, Virus's etc (something we do rigorously anyway).
*Checked logs (I know the IP and URL where the spammer is coming through, but this is probably just another jump of many to get to us.
*Cleaned all infected sites (both the Iframe as well as SQL injection) - more than once while we did the next step.
*Re-written a new Authentication sequence to reinforce web forms, login pages and so on...
I then started to look at FTP and found that the FTP module included with DirectAdmin is itself a problem. I quote:
02/20/09
CVE 2009-0542
A vulnerability exists in ProFTPD that could be exploited by remote attackers to conduct SQL injection attacks on the server. This flaw is due to improper validation of a user-supplied username string before being used in an SQL query. A remote unauthenticated attacker can trigger this vulnerability by sending a malicious username to the target ProFTPD server and gain the privileges of a legitimate user.
and an older aler:
10/03/08
CVE 2008-4242
The ProFTPD 1.3.1 and prior is prone to a security vulnerability, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command.
We are using ProFTPD 1.3.1 and I can see there is an update available:
1.3.2 released
[5/Feb/2009]
The ProFTPD Project team is happy to release 1.3.2 to the community. This is a bugfix release, including a SQL injection vulnerability fix. The RELEASE_NOTES and NEWS files contain the full details.
The Question
Since most of the problem we had and have, is to do with managing server access, my question is, has anyone upgraded ProFTP in DirectAdmin (I am a new user of DirectAdmin (and learning fast). Not a pro..my background is really about operations and admin, not managing a web server, programming etc....)?
Can any one please please advise me the steps to take for upgrading and if possible, the commands...I do have root access...
My genuine thanks in advance
Daniel
IO Wow
