• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Question Hacked - can you help?

GuiltySpark

New Pleskian
Hi, I was recently hacked and looking for some help.

I allow users to upload images to my site and use a JS plugin that calls a PHP script to upload the image. I stupidly didn't filter the types of files that could be uploaded, so someone uploaded and then ran a php file that accepted input and executed a shell_exec().

Before I plugged the hole I used the script and did a "whoami" and found it was the Plesk system user.

I had just assumed the default Apache user wouldn't be the Plesk system user?

Is there something I have done wrong in my setup or am I misunderstanding it?

Thanks in advance.
 
When allowing uploads, POSTs and even GETs, all that user data that is transferred to a server must be checked. For POSTs and GETs the data should be escaped, so that no SQL injection can be inserted in such data. For uploads - as you have already noticed - it is a good idea to prevent .php files form being uploaded. If at all, these should be moved out of the temporary upload directory to be stored in a "secret" directory, but in general it is better to disallow such uploads in general.

Then you will also want to add at least this to the "Additional configuration directives" section of the PHP configuration of the domain:
disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen
This not only important to have for your upload scenario, but also for existing scripts on the server. You never know if a script doesn't either include malware or if it opens a back door so that someone can upload malware.

And you should also check if your /tmp partition is protected against script execution. Anything in /tmp must not be executed.
 
Back
Top