• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved Corrupt .cer files? All domains

DataPacket

New Pleskian
Server operating system version
Windows 2019
Plesk version and microupdate number
Plesk Obsidian Version 18.0.52 Update #3
I'm encountering a peculiar problem during backups. It seems to affect all domains. We have these .cer files that are zero bytes in size and appear to be related to Plesk, and they require special procedures to delete.

When making backups we are seeing errors similar to this:

Not all the data from E:\vhosts\domain.com was listed successfully and would not be backed up: lstat(): Lstat failed for E:\vhosts\domain.com\httpdocs\LPT1.6E0pJTWq.cer

Anyone know what's going on?
 
Are you using Plesk backup or another backup solution? What does event viewer show? We need more details then what is provided but at a random guess since it's saying it's not able to list everything successfully from a domain tells me it's permission related.
 
I've seen this, they're not corrupt .cer files, they're an indicator/evidence that your hosting has been compromised and hacked.

You'll see random files that have reserved/forbidden names/extentions such as LPT1.***.cer, the contents of the .cer file will later be replaced with ASP. They use these reserved/forbidden names because they're hard to delete. There are lots of other reserved names that you'll see too like CON.***.cer, COM1.***.cer, LPT2.***.cer etc. You can read more about this technique here https://book.hacktricks.xyz/pentesting-web/file-upload

They want these files to remain on the server for as long as possible which is why they user reserved names, you wont be able to delete these files via FTP or even via the desktop. NTFS will not allow deletion of reserved names via native utilities, so you have to fool NTFS into not doing reserve-word checking with DEL \\.\D:\PATHTOFILE\LPT1.6E0pJTWq.cer

I've had to write special command prompt/batch files to search for and delete these files.

For example, this will find all files with the extension .cer and then loop through those files looking to see if it contains LTP1 in the filename. You would substitute \inetpub to \vhosts

Code:
FOR /R "D:\inetpub" %%# in (*.cer) DO (
    ECHO %%~nx# | FIND "%pattern%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
)

Below is my complete script for .cer files, you'll need to duplicate it for .asp, .aspx and .config (these are other extensions they use other than .cer) and I've added these batch scripts into windows task scheduler which execute each night. This script works for my purposes and has been tested only on my servers, so although I'm confident it's safe in my environment it hasn't been widely tested and as such if you decide to use it it's at your own risk.

Code:
SET "patterncon=CON"
SET "pattern=LPT1"
SET "pattern2=LPT2"
SET "pattern3=LPT3"
SET "pattern4=LPT4"
SET "pattern5=LPT5"
SET "pattern6=LPT6"
SET "pattern7=LPT7"
SET "pattern8=LPT8"
SET "pattern9=LPT9"
SET "pattern10=AUX"
SET "pattern11=CON"
SET "pattern12=PRN"
SET "pattern13=COM1"
SET "pattern14=COM2"
SET "pattern15=COM3"
SET "pattern16=COM4"
SET "pattern17=COM5"
SET "pattern18=COM6"
SET "pattern19=COM7"
SET "pattern20=COM8"
SET "pattern21=COM9"
SET "pattern22=nul"
SET "pattern23=NUL"

FOR /R "D:\inetpub" %%# in (*.cer) DO (
    ECHO %%~nx# | FIND "%patterncon%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern2%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern3%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern4%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern5%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern6%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern7%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern8%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern9%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern10%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern11%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern12%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern13%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern14%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern15%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern16%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern17%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern18%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern19%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern20%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern21%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    
    ECHO %%~nx# | FIND "%pattern22%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    
    ECHO %%~nx# | FIND "%pattern23%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
)
 
I've seen this, they're not corrupt .cer files, they're an indicator/evidence that your hosting has been compromised and hacked.

You'll see random files that have reserved/forbidden names/extentions such as LPT1.***.cer, the contents of the .cer file will later be replaced with ASP. They use these reserved/forbidden names because they're hard to delete. There are lots of other reserved names that you'll see too like CON.***.cer, COM1.***.cer, LPT2.***.cer etc. You can read more about this technique here https://book.hacktricks.xyz/pentesting-web/file-upload

They want these files to remain on the server for as long as possible which is why they user reserved names, you wont be able to delete these files via FTP or even via the desktop. NTFS will not allow deletion of reserved names via native utilities, so you have to fool NTFS into not doing reserve-word checking with DEL \\.\D:\PATHTOFILE\LPT1.6E0pJTWq.cer

I've had to write special command prompt/batch files to search for and delete these files.

For example, this will find all files with the extension .cer and then loop through those files looking to see if it contains LTP1 in the filename. You would substitute \inetpub to \vhosts

Code:
FOR /R "D:\inetpub" %%# in (*.cer) DO (
    ECHO %%~nx# | FIND "%pattern%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
)

Below is my complete script for .cer files, you'll need to duplicate it for .asp, .aspx and .config (these are other extensions they use other than .cer) and I've added these batch scripts into windows task scheduler which execute each night. This script works for my purposes and has been tested only on my servers, so although I'm confident it's safe in my environment it hasn't been widely tested and as such if you decide to use it it's at your own risk.

Code:
SET "patterncon=CON"
SET "pattern=LPT1"
SET "pattern2=LPT2"
SET "pattern3=LPT3"
SET "pattern4=LPT4"
SET "pattern5=LPT5"
SET "pattern6=LPT6"
SET "pattern7=LPT7"
SET "pattern8=LPT8"
SET "pattern9=LPT9"
SET "pattern10=AUX"
SET "pattern11=CON"
SET "pattern12=PRN"
SET "pattern13=COM1"
SET "pattern14=COM2"
SET "pattern15=COM3"
SET "pattern16=COM4"
SET "pattern17=COM5"
SET "pattern18=COM6"
SET "pattern19=COM7"
SET "pattern20=COM8"
SET "pattern21=COM9"
SET "pattern22=nul"
SET "pattern23=NUL"

FOR /R "D:\inetpub" %%# in (*.cer) DO (
    ECHO %%~nx# | FIND "%patterncon%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern2%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern3%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern4%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern5%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern6%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern7%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern8%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern9%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern10%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern11%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern12%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern13%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern14%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern15%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern16%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern17%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern18%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern19%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern20%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
    ECHO %%~nx# | FIND "%pattern21%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
 
    ECHO %%~nx# | FIND "%pattern22%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
 
    ECHO %%~nx# | FIND "%pattern23%" 1>NUL && (
        Echo \\.\%%#
        del \\.\%%#
    )
)
Wow, thank you for the detailed response and cleanup script. I suspected there might be an exploit or malware, but wasn't sure.
 
@DataPacket you're welcome, hope it helps! These files were a bit of a surprise to me too, I thought at first it may have been from one of Plesk's processes or related to Let's Encrypt but then started seeing some of the .cer extensions change to ,aspx and .php and knew something wasn't right.
 
Hello,

I'm having the same problem. A .cer file and css folder are created on each site. Sites are redirected to different sites. Is there a solution?
 
The solution is correcting the vulnerable code you're hosting, can't help you there as it could be anything so you'll need to do an audit.

Until then the batch script I shared will remove the files. But that's just treating the symptom and not the cause.
 
We deleted the .cer files with the codes. But the site still redirects to a different address. What would be the reason :( Thanks,
 
The .cer files were their entry points. They later get filled with scripts and codes that provide them with further access/functionality. From that point they can edit any file they want.

You'll need to audit all of your files looking for foreign code (code that doesn't belong there). If you have a local backup then download all files on the server to a different local directory and use software comparison to compare the two directories (local and your local remote files). Look for additional files not present in your local backup and any altered files different to those in your local backup.

You could also start by looking at most recently/last edited files.

Also start by looking at web.config/.htaccess and index files, look for any lines that don't look familiar or any javascript that you don't remember adding.

There is no blanket fix for this, you'll have audit all the files to find those that have been compromised. Good luck!
 
Your browser may have cached redirects.

Clear your internet files/history and try it. Also make sure you don't have an web.config/.htaccess left in the directory.
 
I detected the problem.

When I block the 107.167.20.45 ip address on the firewall, the sites open without any problems.

But when I unblock the 107.167.20.45 ip address, the forwarding becomes active automatically.
 
Back
Top