1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

After latest update rkhunter TCP 2006 warning

Discussion in 'Plesk 10.x for Linux Suggestions and Feedback' started by Nicodemus, Mar 6, 2011.

  1. Nicodemus

    Nicodemus Guest

    0
     
    After the latest update my rkhunter shows me a warning, I guess a false positive but why is is using that port ?

    Warning: Network TCP port 2006 is being used by /usr/sbin/sw-cp-serverd. Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server
    Use the 'lsof -i' or 'netstat -an' command to check this.
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    I have checked on default Plesk installation:

    # lsof -i tcp:2006
    # lsof -i udp:2006
    # netstat -an | grep 2006

    As you can see port 2006 is not used there. So, check it. It really may be rootkit.
     
  3. Nicodemus

    Nicodemus Guest

    0
     
    #lsof -i tcp:2006
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    sw-cp-ser 3711 sw-cp-server 8u IPv4 8972 TCP *:2006 (LISTEN)

    ## lsof -i udp:2006
    empty response

    netstat -an | grep 2006
    tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN


    sw-cp-serverd I found on the following :

    netstat -tulnap shows me sw-cp-serverd here :
    tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 3711/sw-cp-serverd
    tcp 0 0 127.0.0.1:10001 0.0.0.0:* LISTEN 3711/sw-cp-serverd
    tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN 3711/sw-cp-serverd
    tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 3711/sw-cp-serverd


    The only running sw-cp-serverd with the PID 3711 I see with ps axf is this :
    3711 ? S 0:01 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config

    Any hints ?
     
    Last edited by a moderator: Mar 9, 2011
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    Try to check that package was not compromised with
     
  5. Nicodemus

    Nicodemus Guest

    0
     
    its debian, dont have an rpm stuff on the server.

    i checked a little into it anyway and i saw since by accident that 10.2 update was more or less installed instead of the update 10.1.1 which I managed myself to fix by apt-get install fix I see that in

    /etc/sw-cp-server/applications.d

    folder is a file called

    zz011_siteeditor.conf

    which sets the following up :

    server.modules += ("mod_rewrite", "mod_fastcgi", "mod_accesslog", "mod_access")


    var.se_user = "sw-cp-server"
    var.se_group = "sw-cp-server"

    var.se_port = 2006
    var.se_prefix = "/opt/siteeditor"
    var.se_vhostname = "siteeditor.******.*******.com" # VHOST name
    var.se_hostip = "***.***.***.**" # that was my server's IP address
    var.se_phppath = "/usr/bin/sw-engine-cgi"
    var.se_accesslog = "/opt/siteeditor/tmp/siteeditor3-access.log"
    #var.se_server = var.se_hostip + ":" + var.se_port
    var.se_server = ":" + var.se_port



    #$HTTP["host"] == var.se_vhostname {
    $SERVER["socket"] == var.se_server {
    $HTTP["url"] =~ "^/Login" {
    url.access-deny = ("")
    }

    $HTTP["url"] =~ "^/Admin" {
    url.access-deny = ("")
    }

    # $HTTP["remoteip"] !~ "127.0.0.1|***.***.***.**" { # My Server IPs addy
    # $HTTP["url"] =~ "^/ServiceFacade/" {
    # url.access-deny = ( "" )
    # }
    # }


    # server.port = var.se_port
    server.name = var.se_vhostname
    server.document-root = var.se_prefix + "/htdocs"
    # server.username = var.se_user
    # server.groupname = var.se_group

    accesslog.filename = var.se_accesslog

    fastcgi.map-extensions = ( ".asmx" => ".php" )

    fastcgi.server = ( ".php" =>
    ( "localhost" =>
    (
    "socket" => "/tmp/siteeditor-php.socket",
    "broken-scriptfilename" => "enable",
    "bin-environment" => ("PHPRC" => var.se_prefix + "/etc",),
    "bin-path" => var.se_phppath + " -c " + var.se_prefix + "/etc/php.ini",
    "max-procs" => 1,
    "min-procs" => 0,
    "idle-timeout" => 30,
    "bin-username" => var.se_user
    )
    )
    )


    index-file.names += ( "index.php", "index.html" )

    mimetype.assign = (
    ".png" => "image/png",
    ".jpg" => "image/jpeg",
    ".jpeg" => "image/jpeg",
    ".bmp" => "image/bmp",
    ".gif" => "image/gif",
    ".xml" => "text/xml",
    ".js" => "text/javascript",
    ".html" => "text/html",
    ".jar" => "application/jar",
    ".txt" => "text/plain",
    ".css" => "text/css"
    )

    server.error-handler-404 = "/index.php"

    url.rewrite-once = (
    "(/ServiceFacade/(.*)?)" => "$1", # disable rewriting inside service facade
    "^(/[a-z].*)$" => "$1", # disable rewriting for non-regular paths
    "(.*)" => "/index.php/$1" # rewrite all other urls to front controller
    )
    } # $SERVER



    So what can I do to uninstall that stuff ? I think it is the Sitebuilder of Plesk which is using the 2006 port.
     
  6. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    We haven't released Plesk 10.2 version yet. It looks like you have installed Parallels Small Business Panel 10.2 version over Plesk. Plesk recovering is not trivial task in that case. Therefore I suggest you contact support team if you can't recover it by yourself.
     
Loading...