Thinking of installing proftpd-1.3.2rc4

I

ioDaniel

Verified User
Joined
Jun 4, 2009
Messages
17
Location
Chiang Mai
Hi Everyone

I am thinking of upgrading the default install version of PROFTP to the latest stable proftpd-1.3.2rc4 version.

I have read http://www.directadmin.com/forum/showthread.php?t=16449
and also
http://www.directadmin.com/forum/archive/index.php/t-16449.html
plus threads: ProFTP how-to UPDATE and ProFTPD 1.3.2 released!

Before I do anything, I just wanted to ask if anyone has any advice to offer. The steps look complicated and if something goes wrong - not that easy to go backwards (sorry, don't forget I am a newbie with DirectAdmin - have been running the server now for just 5 or 6 weeks).

We are running the following OS and Versions:
Compiled on Redhat CentOS 5.0
Server Version 1.33.1
Apache 2.2.6
Exim 4.67
MySQL 5.0.37
Named 9.3.3rc2
ProFTPd 1.3.1
sshd
vm-Pop3d 1.1.7f-DA-2



Some background
I have been dealing with a malicious hacker who has been using our server to send SPAM (subject of a previous thread).

I found the hacker had hacked into CGI Bins of most of the web sites we host (just 42 on this server at the moment). None of our sites use CGI Bin so I didn't check them at first until last week. Using the logs to see where the SPAM was coming from, I narrowed the search down to 4 sites and discovered a stack of .pl files in one root directory (which I knew were not installed by us). More checking and I found a stack more .pl files in the CGI Bin and so spent the rest of the day cleaning out and deleting the CGO Bin.

While this was going on, the hacker had started running his script and I could see SPAM going out as well as a mountain of email queued by the mail server. I deleted these but more kept arriving.

I then decided to STOP the services for POP3, Proftp and Exim, and this stopped the SPAm being sent / queued.

I then tried to change the password for the 4 affected sites and my own Admin login...and was unable to because some services were stopped .. so I restarted the three services, changed the passwords for the 4 sites as well as my own Master Passwords.

No one told me that DirectAdmin master passwords can't use symbols like ,# and so on. So I got locked out because I used symbols with Alphanumerics.....thank heaven for this Forum because I found how to change my password and this worked.

When I got back in, the Mail Queue was rapidly filling up again, so I deleted the 50 or so pages of queued emails...found which servers the $##@@$!!!
was coming from...tried to blacklist that IP and he immediately changed IP...but was still getting in and running his send mail script. I could see the logs showing me a list of STOR and DELE for the 4 main sites he was using...

I then went through all the hosted sites searching for .pl files and removed all of them I found in a couple of other sites.

But he was still sending SPAM...so I decided the only way was to change passwords again (this time no symbols in my Master Password), and then stop
PROFTP, EXIM and POP3.

This all happened yesterday afternoon (Sunday local time). First thing this morning, I checked the server and the MAIL QUEUE was empty. I then restarted services and no more SPAM was being sent. Its now 6 hours later and so far so good..

One last comment. I found all our sites had .shadow files and deleted 4 before thinking I should check this forum for that..and discovered I shouldn't have deleted them.

I can see there is a line of code inside the file which I assume is a meaningfull string related to DA passwords.
Is this a problem?

Which brings me back to my main question (at the top of my story).
I am thinking of upgrading the default install version of PROFTP to the latest stable proftpd-1.3.2rc4 version.

Before I do anything, I just wanted to ask if anyone has any advice to offer. The steps look complicated and if something goes wrong - not that easy to go backwards (sorry, don't forget I am a newbie with DirectAdmin - have been running the server now for just 5 or 6 weeks).

Hope to hear from you

Daniel
Admin
 
Last edited:
Well, first of all you should think Security.
You can install proftpd yourself, but it's better to do:
Code: 
[root@server /]# cd /usr/local/directadmin/custombuild
[root@server custombuild]# ./build clean
[root@server custombuild]# ./build update
[root@server custombuild]# ./build proftpd
It will reinstall proftpd and make everything as it was.

Also add a daily limit for emails, 200 should be enough.
Code: 
[root@server /]# echo "200" > /etc/virtual/limit && service exim restart

You should also check the system for rootkit's and other malicious stuff. Check for strange directories in /etc/ and install rkhunter.
Also I would recomend to mount /home partition with nosuid,nodev, and if you are not planning any cgi running or stuff like that, add noexec. Everything can be done in /etc/fstab
Something like :
Code: 
/dev/xxxx    /home    ext3    defaults,noatime,usrquota,grpquota,nosuid,nodev,noexec         1 1
You can add noatime for a speed-up of your filesystem.

Also you can finish with PHP security and for the begining disable unused and risky functions.
Code: 
escapeshellarg, escapeshellcmd, dl, shell_exec, exec, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, posix_access, posix_ctermid, posix_get_last_error, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_satty, posix_kill, posix_mkfifo, posix_mknod, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_strerror, posix_tims, posix_ttyname, posix_uname, apache_child_terminate, apache_get_modules, apache_get_version, apache_lookup_uri, apache_note, apache_request_headers, apache_reset_timeout, apache_response_headers, apache_setenv, ascii2ebcdic, ebcdic2ascii, getallheaders, virtual, php_uname, disk_free_space, diskfreespace, disk_total_space, leak, ini_alter, ini_restore, openlog, show_source, highlight_file
Add all to disable_functions in your php.ini

Well that's it.
Any questions? :)
 
Thanks for your advice

I have done little else except think security for days now...so honestly thanks.

I will go through your list and if I have any problems, come back here (also to say everything worked).

Daniel
IO Wow
 
...install proftpd yourself

Hi

Well the first step went well and I completed a reinstall of ProFTPD...

I haven't changed the email limit because we have one client who sends out a monthly newsletter to a large mailing list (but they limit the number of send mails sent at one time).

I then decided to try to install RKHunter, and got the process from the RKhunter site.

I got to step 5 (1.Install RKHunter
./installer.sh )

...and am stuck there.

Every time I try to run
./installer.sh
I get a message saying I must use a default switch and the switch must be first..I have tried all the various options provided and nothing happens.
(Yes I have changed directory to the new RKhunter directory)

The most obvious switches are:
- default: (FHS compliant),
- /usr,
- /usr/local,

For example I tried:
./installer.sh --install default:
./installer.sh default --install
./installer.sh -/usr,
.installer.sh -local/usr

...and so on.

Sorry, its probably obvious to someone who has experience but as a newbie I am stumped. Your suggestions greatfully appreciated.

Last and not least:
You mention looking for strange directories in /etc (they all look strange..well some look stranger than others so I check by change date and found a couple of recent directories changed in the last few days). Does blkid mean anything to you? Everything else looked OK

Thanks again for your help

Daniel
ioAdmin
 
You must log in or register to reply here.
Back
Top