Using Passive FTP on Amazon EC2

Installing proftpd on an amazon ec2 instance is not rocket since, but after installing you need to configure it to work correct.Because amazon ec2 instances use an internal IP address as their ethernet interface address, proftpd needs to be configured for passive FTP.

First, you need to apply for an Elastic IP address which you will allocate to your instance. This will be the IP address that will be show to the world.

Second step is to configure the firewall properly for that instance. Go to the “Security group” assigned to the instance and add the following rules:

* Connection Method: Custom
* Protocol: TCP
* From Port: 20
* To Port: 21
* Source (IP or group): 0.0.0.0/0 (that is, if you want to permit to the whole internet to access your ftp server; if not, replace this with the IP address or class that you want to give access to your ftp server)

We need to add another rule for the passive ports that will be used by proftpd:

* Connection Method: Custom
* Protocol: TCP
* From Port: 49152
* To Port: 65535
* Source (IP or group): 0.0.0.0/0

Now, go to your machine end edit /etc/proftpd/proftpd.conf and add the following lines:

PassivePorts 49152 65535

MasqueradeAddress your_elastic_ip_address

Restart proftpd and enjoy:

/etc/init.d/proftpd restart

For Vsftpd configuration is slightly different. You need to edit vsftpd.conf and make sure that you add these lines:

pasv_min_port=1024
pasv_max_port=1080
pasv_address=elastic IP

Range 1024-1080 or whatever other range needs to be added in the Security group, same way we did for Proftpd. Then run: /etc/init.d/vsftpd restart

How to remove malware, iframe virus from your site

I guess many of you already have this issue regarding the iframe malware.

In my researches I found out that this isn’t the hosting Linux/Windows server fault. This issue is provoked by a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it silently download every (or only index/default) files from the remote ftp to the infected Windows PC and then adds the iframe or javascript code and in the end it uploads back the files. So..first of all when removing this virus from the remote servers check your computers. The virus is known as : Trojan.Script.Iframe.

After scanning your system carefully, consider to stop using FTP. Download WinSCP and stop storing your passwords locally. Then change your passwords.

To get the list of infected files I use either grep or find under any Shell prompt (you will need ssh access to the server):

or with find:

find $PWD ( -name “*.php” -o -name “*.html” -o -iname “*.htm” ) -exec grep -l “income” {} ;

Also you can check the timestamp of the files and if you see changes of index.html or any other file and you did not do that on purpose then it means you are infected. I`m using the -mtime paramter of find to check for infected files:

find . -mtime -2

Will search all files that were modified in the last 48 hours

Malware Removal
You can remove the malware by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files you can do the following: