On Mon, 15 Nov 2010 15:15:03 +0100, "Francesco P. Lovergine" <[email protected]> wrote: > On Mon, Nov 15, 2010 at 03:05:17PM +0100, Jean Couillaud wrote: >> I suspected proftpd and a quick look at the proftpd logs shows a really >> great number of login attempts (bruteforce like) and several "too long >> command" thingies (I'll be more specific this evening), the one last >> being >> at the exact same time the mod_facl error and the psadmin user creation. >> You said mod_facl is not active by default. It's quite strange since I >> didn't remember modifying the proftpd configuration since I installed it >> a >> few month ago. >> > > As said, mod_facl is not active by default, and the whole content of > your /etc/proftpd directory would help to understand what happened > and if it is due to proftpd or what else.
I'll have to check but since I did an "apt-get --purge remove proftpd-basic" (I know this seems rather dumb, now, but I had reasons to believe that he could have modified a file in the proftpd conf dir to ease upcoming hacking attempts), I m not sure I'll be able to get much ... at least, tripwire will see the dir structure modification and give me the old structure of /etc/proftpd. > Note that you had also > installed an apache server (with possibly some webapps?). I do have an apache with several webapps (blog, webmails and such things) and an exim running. But every modification/creation date of files I found linked to the rooting matches the facl error date. The hacker might have done that intentionnaly after exploiting something else, but it seems rather complicated since I am just a geek with a server at home and there is no sensible data on the server. Besides, if he was that motivated, he would have cleaned the logs so that I wouldn't even suspect he broke in ... Wouldn't it be possible to exploit a vulnerability in proftpd to load the facl module and use an other vulnerability in mod_facl to get a shell or execute a command as root. Anyway, if he exploited something else, I'll know it soon enough since he will obviously be able to do it again. Additionally, I'll check the server activity in the coming days to be sure these logs were not smoke and mirrors. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

