On 05/19/13 11:59, Philipp Duffner wrote: > Hi, > > I'm running Plesk 11.0.9 on a Centos 5.5. > A website on that box got hacked last week and malicious code got inserted > into some html/php files. So I went to find out what happened... > <snip> > * yum update everything, also made sure I have the latest version of proftp > * restore the entire website from a clean backup > * delete the WYSIWYG folder that I believed had caused the vulnerability > > The next days I slept ok hoping I removed the attacker's entry point(s). > > ...so I thought! Today the website got hacked again - the same exploit on > the pages, meaning same attacker. > And again I can see nothing suspicious except for the successful FTP logon > just before the modification time of the infected html/php: > > 2013-05-18T15:01:25.195559-07:00 MyServer proftpd: Deprecated pam_stack > module called from service "proftpd" <snip> The bunch of these messages, above, make me wonder if the reason that the pam stack module is deprecated is vulnerability. Consider checking the proftpd configuration, and /etc/pam.d/proftp? whatever it's called, and see if you can change what it's calling. mark -- "The group mentality of the United States is fundamentally that of a teenager." -British Immigrant _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos