Is my Admin account compromised?

[ajax20]

Hi

Today I came to know that my ftp user and password might have been stolen through a man-in-the-middle attack by my dumb neglect of trusting a fake certificate while connecting to my ftp account. You know for a moment I forgot that my server does not have an ssl cert. Of course, it does have one for the DA's login but none for my ftp account. I'm worried if the attacker has, for instance, injected some malicious codes in my server. I want to know the scope of such contamination, that is to say, since the mentioned ftp account belonged to the user-level, is my DA "admin" account also, by any means, affected? Sorry if it is a silly question but I just want to make sure if I have to worry about my OS in general being somehow in danger of being contaminated?

Please give me your ideas about this problem.

Many thanks.

 

[ajax20]

Please Help!

Please let me know your ideas. Thanks!

 

[Richard G]

There could be a possibility since the attackers have your admin ftp password which normally is the same as your admin login password for DA.
The question is if they made use of that possibility, that's hard to say. It also depends if admin has SSH access. I always use SSH keys and disable password login, this way admin is in the ssh config as allowed user, but does not have access. However, this can easily be changed via the admin file editor.

Best thing to do is to check if somebody else then you has logged in to the admin panel of Directadmin.

First thing to do is to change passwords anyway. Also clean out your pc with tools like ADWCleaner and after that Malware Bytes to be sure it's not a trojan on your pc which has stolen the ftp password which happens quite often lately.

If you want to be 100% sure nothing has changed, you had to be running a tool like for example Rkhunter which would you point to changed files. Or complete reinstall your server.

There might be done nothing wrong yet, so it could be the os is not in danger or contaminated. But changes are 50/50. There is almost no way to be certain.
But again, see if anyway has logged in via Directadmin on the admin account and/or SSH. If not, the OS almost can't be contaminated but you should remove and reinstall your user files (so your website) in any case to be sure there's nothing wrong with that and it's not infecting visitors.

 

[ajax20]

Thanks

Hello Richard

Thanks a lot for your explanation. Actually the FTP account belongs to the user not the admin and the admin's password was not the same with the mentioned ftp password. In other word's there were three different passwords including the user's login password to DA panel, the user's ftp password, and the admin's password to DA panel. I had not made any ftp accounts for the admin, so can I be sure that the admin's space is not contaminated?

 

[Richard G]

That's very smart to have different passwords for those.

I had not made any ftp accounts for the admin

This is made automatically. As soon as a domain is created for admin, you can access admins home directory by using ftp with the da login password.

With only the FTP password on user level, if other passwords are different, they can only conterminate parts you can reach with ftp on user level.
The OS is probably not contaminated.

so can I be sure that the admin's space is not contaminated?

No, because the userlevel of the admin account is still admin. With that ftp account, even with a different password, you still reach /home/admin so this part can still be contaminated and has to be checked very good. Also directory's like /home/admin/admin_backups and especially /home/admin/domains/default which can put scripts automatically on new accounts created by admin.

So there's a difference between admin's home space and the OS. In this case there is a very good chance, nothing happened with the OS as long als the FTP password was different as the SSH and DA login pass.

P.s. if the user was not admin user (so was not the admin on user level) but just a user made by admin, yo should be safe.

 

[ajax20]

Explanation

Sorry if I have not explained well. But think I need to explain a little bit further. Aside from the original DA root user, I have one admin user as well and one extra other user which I made in the reseller level. The FTP account I talk about is the one belonging to the last user (that is, the one I made through reseller level while I had logged in the admin account). So according to your last sentence can I assume the admin user of the admin level is safe and is not contaminated, because when I search the files of this user, I do not see the files of the reseller user.

Hope I have not confused you by my explanation.

Thanks

 

[zEitEr]

Did you check server logs? Did you find any unknown IPs in login history?

last | less

?

 

[Richard G]

Seems fine to me, but....

But again, see if anyway has logged in via Directadmin on the admin account and/or SSH.

As you can see, also zEitEr advises to check the logs anyways. It's a good way to see if attempts were made. Just to be sure.
Remember, an admin is an admin, it doesn't matter much if it's the "root" admin or a new admin. They both have the "defaults" directory etc..