Results 1 to 7 of 7
  1. #1
    Join Date
    Mar 2004
    Location
    /dev/null
    Posts
    275

    Pure-ftpd compromised?

    Hi all,

    It just came to my attention while seeking some of my logs that successful connections were made to my Pure-FTPD v1.0.22 for the last 4 weeks. Since it is a stable production environment, I almost never have to audit it (this explains the 4 week period)

    I have included a snip of my logs (which make over 1 meg)

    The first connections from bell.ca are legitimate and trusted connection. The next host (mirohost.net) tries to connect using www as username and fails. Right after, it tries using jp as a username and the connection is successful.

    The www username is a virtual-host user in pure-ftpd's database and the jp is a local unix user on the machine. It freaks me out. Connections were made using the jp username for over a month now.
    jp is my username on that machine, and I consider my password secure (letters + numbers, over 10 characters)
    Lukily, those who connected using the jp username only downloaded sources of various project (php, libxml, etc).

    Funny thing, no one tried to connect through SSH. That's why I am wondering if the pure-ftpd server isn't compromised by a heap/stack overflow or anyother exploitable vulnerability?

    Code:
    Oct 15 00:19:26 server pure-ftpd: ([email protected]) [NOTICE] /var/www//pdf/pdf/file1.pdf uploaded  (4768507 bytes, 46.36KB/sec)
    Oct 15 00:19:36 server pure-ftpd: ([email protected]) [NOTICE] /var/www//pdf/pdf/file2.pdf uploaded  (4929660 bytes, 41.82KB/sec)
    Oct 15 00:20:26 server pure-ftpd: ([email protected]) [INFO] Logout.
    Oct 15 00:20:36 server pure-ftpd: ([email protected]) [INFO] Logout.
    Oct 15 01:02:49 server pure-ftpd: ([email protected]) [INFO] Timeout - try typing a little faster next time
    Oct 15 05:49:04 server pure-ftpd: ([email protected]) [INFO] New connection from nvs272.mirohost.net
    Oct 15 05:49:10 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [www]
    Oct 15 05:49:11 server pure-ftpd: ([email protected]) [INFO] Logout.
    Oct 15 06:29:02 server pure-ftpd: ([email protected]) [INFO] New connection from versa.websitewelcome.com
    Oct 15 06:29:02 server pure-ftpd: ([email protected]) [INFO] jp is now logged in
    Oct 15 06:29:06 server pure-ftpd: ([email protected]) [NOTICE] /home/jp//libxml2-2.7.2/doc/devhelp/general.html downloaded  (5460 bytes, 9.32KB/se$
    Oct 15 06:29:07 server pure-ftpd: ([email protected]) [NOTICE] /home/jp//libxml2-2.7.2/doc/devhelp/general.html uploaded  (5533 bytes, 53.04KB/sec)
    Oct 15 06:29:07 server pure-ftpd: ([email protected]) [NOTICE] /home/jp//libxml2-2.7.2/doc/devhelp/index.html downloaded  (1940 bytes, 37.40KB/sec)

  2. #2
    Join Date
    Apr 2002
    Posts
    930
    Looks like the jp's password is compromised.

    The password may very well be secure, but if the password is stored anywhere, how secure are those storage mediums?

    Is the user saving the password in their FTP client site manager?

    Is the password listed in plain text somewhere in the user's e-mail box?

    Is the password listed anywhere, such as in a PHP script, on the user's hosting account?

    If the user's computer (any computer that they have used to connect to their site with FTP) is compromised with a virus, trojan, keylogger, or any type of malware, then even the most secure password can be compromised.

    If the user is listing the password in a PHP script on their website (for example, using their main account username/password for accessing databases instead of creating sub database users) and if a script on that account or server is compromised and the compromiser is able to read this config file, then the password can be compromised.

  3. #3
    Join Date
    Mar 2004
    Location
    /dev/null
    Posts
    275
    Quote Originally Posted by SPaReK View Post
    Looks like the jp's password is compromised.

    The password may very well be secure, but if the password is stored anywhere, how secure are those storage mediums?

    Is the user saving the password in their FTP client site manager?

    Is the password listed in plain text somewhere in the user's e-mail box?

    Is the password listed anywhere, such as in a PHP script, on the user's hosting account?

    If the user's computer (any computer that they have used to connect to their site with FTP) is compromised with a virus, trojan, keylogger, or any type of malware, then even the most secure password can be compromised.

    If the user is listing the password in a PHP script on their website (for example, using their main account username/password for accessing databases instead of creating sub database users) and if a script on that account or server is compromised and the compromiser is able to read this config file, then the password can be compromised.
    Yeah, I agree with you. While posting I started some scans on the networks, still waiting.

    Changed password and ftp server back online. I'll wait and see what happens.

  4. #4
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,348
    Quote Originally Posted by oldunis View Post
    Yeah, I agree with you. While posting I started some scans on the networks, still waiting.

    Changed password and ftp server back online. I'll wait and see what happens.
    Just playing devils advocate - have you heard of mirohost.net? The reason I'm asking if I've had similar issues when it turns out it's something silly like someone using a VPN / proxy server hence the strange hostnames
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Let's Encrypt Sponsor.

  5. #5
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    I'm sorry but i only see mirohost.net connect once to try the www password; and the next entry is a complete different hostname connecting to jp about 40 minutes later; what did i miss here ?

  6. #6
    Join Date
    Mar 2004
    Location
    /dev/null
    Posts
    275
    Quote Originally Posted by 040Hosting View Post
    I'm sorry but i only see mirohost.net connect once to try the www password; and the next entry is a complete different hostname connecting to jp about 40 minutes later; what did i miss here ?
    Just within the last 4 days, over 10 different hosts did connect using the jp account.
    They seem to be either ppl with DSL connections or compromised servers ...

  7. #7
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by oldunis View Post
    Just within the last 4 days, over 10 different hosts did connect using the jp account.
    They seem to be either ppl with DSL connections or compromised servers ...
    That makes it more clear; i just did try to say that from the log posted above, it is a bit hard to tell if there is something fishy going on.

    Anyways; you should use SFTP or FTPS to connect to a server and never plain ftp. Besides that it could also be a keylogger or sniffer anywhere on your machine or network. There are thousands of ways to obtain a password.

Similar Threads

  1. pure-ftpd help
    By HostingFields in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-24-2009, 02:32 AM
  2. Pure-FTPD login not working -- /var/run/ftpd.sock?
    By jaseeey in forum Hosting Security and Technology
    Replies: 1
    Last Post: 11-09-2008, 08:33 AM
  3. pure-ftpd
    By synx in forum Hosting Security and Technology
    Replies: 5
    Last Post: 12-19-2005, 07:36 AM
  4. pure-ftpd
    By cfaice in forum Dedicated Server
    Replies: 9
    Last Post: 09-12-2004, 08:44 PM
  5. pure-ftpd vs pro-ftpd ?
    By N9ne in forum Hosting Software and Control Panels
    Replies: 21
    Last Post: 03-09-2003, 07:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •