• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

After latest update rkhunter TCP 2006 warning

N

Nicodemus

Guest
After the latest update my rkhunter shows me a warning, I guess a false positive but why is is using that port ?

Warning: Network TCP port 2006 is being used by /usr/sbin/sw-cp-serverd. Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server
Use the 'lsof -i' or 'netstat -an' command to check this.
 
I have checked on default Plesk installation:

# lsof -i tcp:2006
# lsof -i udp:2006
# netstat -an | grep 2006

As you can see port 2006 is not used there. So, check it. It really may be rootkit.
 
#lsof -i tcp:2006
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sw-cp-ser 3711 sw-cp-server 8u IPv4 8972 TCP *:2006 (LISTEN)

## lsof -i udp:2006
empty response

netstat -an | grep 2006
tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN


sw-cp-serverd I found on the following :

netstat -tulnap shows me sw-cp-serverd here :
tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 3711/sw-cp-serverd
tcp 0 0 127.0.0.1:10001 0.0.0.0:* LISTEN 3711/sw-cp-serverd
tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN 3711/sw-cp-serverd
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 3711/sw-cp-serverd


The only running sw-cp-serverd with the PID 3711 I see with ps axf is this :
3711 ? S 0:01 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config

Any hints ?
 
Last edited by a moderator:
its debian, dont have an rpm stuff on the server.

i checked a little into it anyway and i saw since by accident that 10.2 update was more or less installed instead of the update 10.1.1 which I managed myself to fix by apt-get install fix I see that in

/etc/sw-cp-server/applications.d

folder is a file called

zz011_siteeditor.conf

which sets the following up :

server.modules += ("mod_rewrite", "mod_fastcgi", "mod_accesslog", "mod_access")


var.se_user = "sw-cp-server"
var.se_group = "sw-cp-server"

var.se_port = 2006
var.se_prefix = "/opt/siteeditor"
var.se_vhostname = "siteeditor.******.*******.com" # VHOST name
var.se_hostip = "***.***.***.**" # that was my server's IP address
var.se_phppath = "/usr/bin/sw-engine-cgi"
var.se_accesslog = "/opt/siteeditor/tmp/siteeditor3-access.log"
#var.se_server = var.se_hostip + ":" + var.se_port
var.se_server = ":" + var.se_port



#$HTTP["host"] == var.se_vhostname {
$SERVER["socket"] == var.se_server {
$HTTP["url"] =~ "^/Login" {
url.access-deny = ("")
}

$HTTP["url"] =~ "^/Admin" {
url.access-deny = ("")
}

# $HTTP["remoteip"] !~ "127.0.0.1|***.***.***.**" { # My Server IPs addy
# $HTTP["url"] =~ "^/ServiceFacade/" {
# url.access-deny = ( "" )
# }
# }


# server.port = var.se_port
server.name = var.se_vhostname
server.document-root = var.se_prefix + "/htdocs"
# server.username = var.se_user
# server.groupname = var.se_group

accesslog.filename = var.se_accesslog

fastcgi.map-extensions = ( ".asmx" => ".php" )

fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/tmp/siteeditor-php.socket",
"broken-scriptfilename" => "enable",
"bin-environment" => ("PHPRC" => var.se_prefix + "/etc",),
"bin-path" => var.se_phppath + " -c " + var.se_prefix + "/etc/php.ini",
"max-procs" => 1,
"min-procs" => 0,
"idle-timeout" => 30,
"bin-username" => var.se_user
)
)
)


index-file.names += ( "index.php", "index.html" )

mimetype.assign = (
".png" => "image/png",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".bmp" => "image/bmp",
".gif" => "image/gif",
".xml" => "text/xml",
".js" => "text/javascript",
".html" => "text/html",
".jar" => "application/jar",
".txt" => "text/plain",
".css" => "text/css"
)

server.error-handler-404 = "/index.php"

url.rewrite-once = (
"(/ServiceFacade/(.*)?)" => "$1", # disable rewriting inside service facade
"^(/[a-z].*)$" => "$1", # disable rewriting for non-regular paths
"(.*)" => "/index.php/$1" # rewrite all other urls to front controller
)
} # $SERVER



So what can I do to uninstall that stuff ? I think it is the Sitebuilder of Plesk which is using the 2006 port.
 
We haven't released Plesk 10.2 version yet. It looks like you have installed Parallels Small Business Panel 10.2 version over Plesk. Plesk recovering is not trivial task in that case. Therefore I suggest you contact support team if you can't recover it by yourself.
 
You must log in or register to reply here.

Similar threads

Daerik
Issue Deprecated Program Name Warning After Upgrading to MariaDB 11.4
Replies
4
Views
12K
LinqLOL
LinqLOL
C
Question Strategic questions
Replies
9
Views
3K
mow
M
K
Resolved Can't connect to Plesk after update to 18.0.61 Update 1
Replies
9
Views
2K
sergiomb
sergiomb
S
Issue Cant activate the plesk firewall
Replies
5
Views
2K
martinez.marcias@gmai
M
F
Resolved Backup to SFTP failed after the latest Plesk update - Version 18.0.52 Update #3
Replies
0
Views
1K
fadidoc
F
Back
Top