Page 3 of 7 FirstFirst 1 2 3 4 5 6 7 LastLast
Results 41 to 60 of 129

Thread: Security problem with filemng

  1. #41

    Default

    Hello

    i have the same issue.

    logfile:
    xxx domain.com:8443 - [09/Jul/2012:03:25:26 +0200] "GET /plesk/client@72/domain@122/hosting/file-manager/ HTTP/1.1" 303 0 "https://domain.com:8443/plesk/client@72/domain@122/hosting/file-manager/edit/?cmd=chdir&file=/httpdoc
    s/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/15.0.1084.56 Safari/546.5"

    plesk 9.5.2



  2. #42
    Kilo Poster
    Join Date
    Dec 2007
    Posts
    22

    Default

    I've changed my admin password.

    IgorG: I use PBAS. If I change the user's passwords, won't that break the connection to PBAS?



  3. #43

    Default

    Hi. How did you identify which client account was being used?
    Thanks



  4. #44

    Default

    Can I also ask, as I am having same problem, Applied the patch, and still getting hacked several times per day. See http://nakedsecurity.sophos.com/2012...and-blackhole/ for details of how we are being hacked.

    When changing ALL passwords, does also equal user email passwords? Thanks



  5. #45
    Kilo Poster
    Join Date
    May 2010
    Posts
    18

    Default

    /var/log/audit/audit.log and /var/log/secure.log.* are your friends.

    You'll have to convert from unix epoch to human readable time on audit.log.

    You can marry up the user authenticating via the plesk admin panel with the users present in either of those log files by using the timestamp.
    That'll let you know which user was compromised.

    However, the only way to be sure an attacker cannot repeat the hack using a different username / password combination is to change all the unix user passwords, so that would be site / hosting users etc..

    I wouldn't imagine mail users would have this issue as they are virtual users and not unix users.



  6. #46
    Kilo Poster
    Join Date
    Dec 2007
    Posts
    22

    Default

    I've changed only my admin password for now, and emptied the session table. Waiting to see it it happens again.

    Note that on Windows the SQL or MySQL password is really hard to find.

    I also have the complication of PBAS and Expand that prevents me from upgrading my Plesk installs.



  7. #47
    Kilo Poster
    Join Date
    Dec 2007
    Posts
    22

    Default

    According to this site: http://blog.unmaskparasites.com/2012...andom-domains/ the problem is Plesk-specific and brings up an interesting issue. If hackers are gaining access to Plesk, and the servers have already been patched, then either:

    1. There's another bug, or
    2. Our databases were dumped months ago

    Option 2 is especially scary.



  8. #48

    Default

    Quote Originally Posted by markytx View Post
    According to this site: http://blog.unmaskparasites.com/2012...andom-domains/ the problem is Plesk-specific and brings up an interesting issue. If hackers are gaining access to Plesk, and the servers have already been patched, then either:

    1. There's another bug, or
    2. Our databases were dumped months ago

    Option 2 is especially scary.
    Unfortunately, option 2 is highly probable.

    I guess, hackers grabbed Plesk databases and then suspended their violent activity about 2-2.5 months ago in order to lull Plesk owners' vigilance.
    Now we are observing new round of the exploit that is based on the grabbed Plesk databases.

    Please follow "Best Practices" from http://kb.parallels.com/113321.

    Sorry for the inconvenience.



  9. #49

    Default

    Our development team created small executable to remove the script virus pattern from .htm, .html, .php, .asp, .css for windows based plesk control panel websites. We will provide the link soon for all plesk cp users.



  10. #50
    Mega Poster
    Join Date
    Jun 2005
    Posts
    176

    Default

    I'll have to say that "Option 2" is unlikely, *not* highly probable.

    We had changed all the passwords as per the KB, and in less than 24 hours they were back in again with the new passwords. They hacked Plesk again using all the newly generated passwords.



  11. #51
    Kilo Poster
    Join Date
    Oct 2005
    Posts
    16

    Default

    Quote Originally Posted by galaxy View Post
    I'll have to say that "Option 2" is unlikely, *not* highly probable.

    We had changed all the passwords as per the KB, and in less than 24 hours they were back in again with the new passwords. They hacked Plesk again using all the newly generated passwords.
    Did you delete all of the current sessions before changing the passwords?



  12. #52
    Mega Poster
    Join Date
    Jun 2005
    Posts
    176

    Default

    The server was rebooted before and after (to assure it was clean).

    Also, the PBAS server was rebooted...
    Last edited by galaxy; Jul 10, 2012 at 12:19 PM.



  13. #53
    Kilo Poster
    Join Date
    Oct 2005
    Posts
    16

    Default

    Quote Originally Posted by galaxy View Post
    The server was rebooted before and after (to assure it was clean).

    Also, the PBAS server was rebooted...
    I don't know enough about Plesk's inner workings to know if a reboot clears the sessions table.



  14. #54
    Mega Poster
    Join Date
    Jun 2005
    Posts
    176

    Default

    Just restarting plesk is enough. Rebooting is overkill, but you know you have a clean webserver and other services as well, and the caches are cleared. Try it yourself (before and after checking active sessions).



  15. #55

    Default

    Quote Originally Posted by galaxy View Post
    They hacked Plesk again using all the newly generated passwords.
    Hello, galaxy. Could you, please, provide a bit more information? How have you discovered "they hacked"?
    Have you found new infected files? Have you explored log files for operations with infected files? How long "they hacked" your server after you change passwords and clean up sessions? Is this possible someone (your client) changed passwords back? We'd be grateful you to give us as much information as possible about what's happened.
    You should understand that we can fix the issue with your assistance only. Thanks.
    Last edited by sergius; Jul 12, 2012 at 01:59 PM.



  16. #56

    Default

    Just got cleared up. As the parallels guys are saying, they harvested the psa databases for passwords before the patch was released. So back in febuary, when the patch was released was the time to change all the passwords on ALL your servers running Plesk. On a couple of our boxes we didnt see any suspicious entries in the logs so we assumed that those servers were safe enough. We were wrong, they uploaded their scripts, but luckily we found them quickly and dealt with the situation.

    What we really need to know is does anyone have the logs from the initial harvest of passwords, did they take the complete database or just plesk and ftp passwords, do we need to change email passwords aswell if we are running mail on the same servers?

    Can we look forward to the plesk agent API being locked down in 9.x?



  17. #57

    Default

    How do you monitor login attempts via sw-cp-serverd? I want to see logs of the login attempts (which hopefully fail now after the password changes) before I can be certain that the patch fixed the security issue.



  18. #58

    Default Jsvirusfixer - download link

    You can download the the virus fixer executable for windows plesk servers from below link jsvirusfixer



  19. #59
    Bit Poster
    Join Date
    Jan 2009
    Posts
    5

    Default

    Quote Originally Posted by GopalakrishnanA View Post
    You can download the the virus fixer executable for windows plesk servers from below link jsvirusfixer
    Thanks for great script



  20. #60

    Default

    Same here,

    had the break in at february, installed patch and cleaned the system.

    on 9.7 and 10.7 however, there were successfully break ins.

    they modified the files and placed the maleware java script.
    however, i couldn't find any ftp logins? so can anyone tell me
    how they modified the files without using ftp?
    on some of the webpages there are even dynamic php scripts
    which could be used to place code in files...

    thanks



Page 3 of 7 FirstFirst 1 2 3 4 5 6 7 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •