On Tue, October 8, 2013 4:44 pm, Stan Hoeppner wrote: > On 10/7/2013 11:19 PM, li...@sbt.net.au wrote:
>> there was a php script uploaded and called >> I've removed the script, I stopped ftp (it seems it was ftp'd) >> at the time I've posted, I was on a 4" mobile, and, I was looking for a >> stop gap measure to 'stop further damage' from that point > Stan, thanks from proftp logs: ---------- cat xfer* Mon Oct 07 11:14:30 2013 0 ::ffff:37.139.47.33 372 /home/adom.com.au/public_html/rleeDW.html a _ i r adom.com.au ftp 0 * c Mon Oct 07 11:14:32 2013 0 ::ffff:37.139.47.33 399 /home/adom.com.au/public_html/aleeDW.html a _ i r adom.com.au ftp 0 * c Sun Oct 06 05:53:52 2013 0 ::ffff:37.139.47.33 372 /home/adom.com.au/public_html/rleeDW.html a _ i r adom.com.au ftp 0 * c Sun Oct 06 05:53:54 2013 0 ::ffff:37.139.47.33 406 /home/adom.com.au/public_html/aleeDW.html a _ i r adom.com.au ftp 0 * c Fri Oct 04 04:09:53 2013 0 ::ffff:95.163.104.67 33 /home/adom.com.au/public_html/dt.php a _ i r adom.com.au ftp 0 * c Fri Oct 04 04:09:54 2013 0 ::ffff:95.163.104.67 33 /home/adom.com.au/public_html/dt.php a _ d r adom.com.au ftp 0 * c Fri Oct 04 04:47:25 2013 0 ::ffff:37.139.47.33 7323 /home/adom.com.au/public_html/xmlrpcVZY.php a _ i r adom.com.au ftp 0 * c Fri Sep 20 04:34:21 2013 0 ::ffff:95.163.104.67 33 /home/adom.com.au/public_html/dt.php a _ i r adom.com.au ftp 0 * c Fri Sep 20 04:34:23 2013 0 ::ffff:95.163.104.67 33 /home/adom.com.au/public_html/dt.php a _ d r adom.com.au ftp 0 * c ---------- the ftp users are linked to system users going from above ftp logins: what other logs to search, what to search for? (I'm curious if the user outsourced his web work, AFAIK, the ftp password is a random string assigned from here, will look into this) > Understood. For a more permanent solution to this script problem, you > may want to consider locking down or disabling the pickup service, and > configuring all web applications and MUAs to use the submission service > with auth. This will prevent such scripts from being able to send mail in > the event some crafty soul is able to get one uploaded via something other > than FTP. how do I lock it or disable ? there are several Joomla CMSs, I'll check and see about changing to 587/smtp-auth thanks for any other pointers voytek
