Hack attack or Plesk updates?

[theywill]

Background:
I'm setting up a new server at Layered Tech. They provided the Plesk install. I ran a few updates. It's been less than 72 hours since the server was brought to life.

A consultant is helping me migrate accounts. He ran netstat and found a segmentation error. Then I received a "Unknown HZ value! (89) Assume 100" error message when using top/ps. I did some Googling and noticed that these are often signs of a hack. Then I ran Watchdog's security check and found this in the log: "Warning: Network TCP port 6667 is being used by /var/juno/httpd".

At this point, I'm thinking oh no! How could I get hacked that fast; nothing is even active on this server.

Then I went to /bin and saw that ps and netstat were owned by psaadm, instead of root (like the other programs and these on my old server). So then I actually tried to connect on port 6667, and I couldn't.

Could these anomalies have been caused by the Plesk install or updates? Or do you think I really have been hacked?

Thanks for any feedback you have.

 

[theywill]

This is a hack. It occurs right after the initial installation via bot that uses Plesk's default username/password to log-in and install a rootkit.

*** Do not install Plesk with the default password. ***

 

[105547111]

That is scary they do the install using the standard userid/password!

Why on earth did they not assign you one or asked you and installed it.

Its a different story when its your server, when you can run the install directly and then immediately login and change it.

Having them install it without password changes and hours and hours go by its like leaving the keys in your ignition with the windows wound down.

I would complain thats crappy service and now you waste time due to their carelessness.

 

[theywill]

My thoughts exactly, and I gave a polite complaint. When I first logged-in to Plesk, I was surprised that it was left with the default password, just sitting there, but I didn't see any problems. I can see this issue becoming a problem. I think it would be smart for the Plesk installer to generate a temporary, random password and provide it on the command-line and/or via email.

 

[105547111]

Its not an issue. You execute the installer by shell and wait for it to finish. As soon as its finished you can log in and change the details.

In your case they did this and left it.

Why on earth did they not simply either change it, or even just more simple stopped psa?

Send you an email and then you can /etc/init.d/psa start and change details.

Slack.

 

[bskrakes]

RE: Hack atack or Plesk updates

I would normally agree but ever since I ran a few updates over the last couple of weeks I to had the same issue...

"Unknown HZ value!....

Now after running the updates again tonight the error went away, which I find very strange. So far I only receive that message when I run the "top" command... but since the recent update no error... to bad Plesk didn't test their updates a little better... to top it off my DR WEB isn't working properly, failing to update MAILER DAEMON...

I love Plesk when it works but when it causes me problems I hate it!

 

[atomicturtle]

For everyone doing first time installations for plesk I added an automatic password setting routine when you install plesk with yum using:

wget -q -O - http://www.atomicorp.com/installers/plesk |sh

It will prompt you for an admin password, or otherwise generate one for you automatically. Otherwise you can run this manually on first time installs with:

/usr/local/psa/bin/init_conf --init -passwd YOURPASSWORD

 

[bskrakes]

Thanks for the info, that is a handy feature!