Hi,

I'm a reseller on a cpanel/WHM server - (I run a small gaming network). The problem is, a few weeks back , one of my sites fired their joint webmaster, we changed the ftp pass but now the fired webmaster has found some kind of program to scan the server and tell him the ftp/cpanel password? Have any of you heard of anything like this before? Could this be a loophole in proftpd or redhat itself?

Thanks,

exploiter

Originally posted by exploiter
Hi,

I'm a reseller on a cpanel/WHM server - (I run a small gaming network). The problem is, a few weeks back , one of my sites fired their joint webmaster, we changed the ftp pass but now the fired webmaster has found some kind of program to scan the server and tell him the ftp/cpanel password? Have any of you heard of anything like this before? Could this be a loophole in proftpd or redhat itself?

Thanks,

exploiter

This webmaster likely created a backdoor or additional account when he did have access. Or he logged into previously or still had some type of access. You'll need to change the password for emails, FTP, shell (if different), control panel (if different), etc. Also it could be that they just sniffed the FTP port (21) and waited for a username and password to come by (since it's passed in clear text).

It's not ProFTPD, and it's certainly not Redhat (it's just an OS, there's no way to "scan" it). You either have an exploitable service running or they sniffed the password or didn't remember to change some access to email or whatever, or they added themselves another account previously (or you didn't complete the process at some point).

Hmm... some good points there.
I'll look into it, thanks :)