• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Hacked like a charm...

K

knocx

Guest
It happened again... 2 compromises in 2 days...

Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised in 30 minutes after rebuild !!!

here is How attack occurs
==========================

first we observe service.dll Nadeware.msi in system32 folder and then we observe an account named help added to administrators group !

this thing is weird since after each rebuild i did an ACL fix for following files ,
before bringing any service online, during rebuild and reconfiguration none of the
services was active (all ports were closed)

explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe,
finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe,
regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe,
telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe
where those files are only accessible by only "Administrator"

Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed

all unneeded services like indexing service remote registry ...were disabled

And all critical folders were properly configured

where those directories are only accessible by only "System" and "Administrator"

except cmd.exe since plesk needs Plesk User(Plesk Administrative Account) which is member of administrators group
seems to be the only suspect.

I have read about people getting hacked using plesk with servers constantly.

i believe there may be big vulnerability with plesk administrative account where some hacker groups already
explored and using it.

people observer similar attacks please post here

knocx
 
Our window server with plesk 7.5.5 was also hacked 2 days ago.
A group of turkish hackers were able to deface all siites on the server bay uploading a number of index pages to the sites.

Hope someone from plesk look into this issue.
 
- Do you have a hardware firewall?

- Are you running any site with PHP enabled?
 
Apparently there is a big security volunerability for window server running plesk and has nothing to do with php.
there are a number of threads in webhostngtalk.com with people facing the same issue over the last 2 weeks.

Somehow the hackers are able to upload index.htm, index.html, index.php...... to every single site on the sever.

Please see the following threads;
http://forum.swsoft.com/showthread.php?s=&threadid=32636&highlight=hacked

http://forum.swsoft.com/showthread.php?s=&threadid=33340&highlight=hacked

I am hopping the plesk developers look into this issue eargently and come up with some sort of patch.

:(
 
Hacked like hell.....

Hackers use FTP to upload bad content (pfishing). Every night again.
The server must be new installed but i am afraid to restore the backups of the domains as there could be bad stuff in it.

This is wat i did until now.

- I deleted all bad things that were uploaded that i found in the logfiles.

- Hacked sites received new passes and login

- FTP is blocked for several hours when login is wrong for 3 times

what else could be done. I am realy desperate. !
 
Hello people,

I realise this is a pretty stupid question, but I just don't see it: I installed the security patch and all went well. How can I, in general, see however, if this patch is installed.

Even more, how can I see in general what updates have been installed and what build I am on ?

Regards,

Mav.
 
Originally posted by EuroMaverick
Hello people,

I realise this is a pretty stupid question, but I just don't see it: I installed the security patch and all went well. How can I, in general, see however, if this patch is installed.

Even more, how can I see in general what updates have been installed and what build I am on ?

Regards,

Mav.

Go to add/remove programs. You can see all the patches installed.
 
I suppose you mean in the Windows control panel ?

That is correct, but the secuirty patch is not presented here.

Also, on the "normal" updates, only the most recently installed is visible. This is Ok if each update replaces the previous onces, but I am not sure that is actualy the case - would be nice to get some confirmation on this...

Regards,

Mav.
 
Originally posted by knocx
It happened again... 2 compromises in 2 days...

Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised in 30 minutes after rebuild !!!

here is How attack occurs
==========================

first we observe service.dll Nadeware.msi in system32 folder and then we observe an account named help added to administrators group !

this thing is weird since after each rebuild i did an ACL fix for following files ,
before bringing any service online, during rebuild and reconfiguration none of the
services was active (all ports were closed)

explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe,
finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe,
regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe,
telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe
where those files are only accessible by only "Administrator"

Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed

all unneeded services like indexing service remote registry ...were disabled

And all critical folders were properly configured

where those directories are only accessible by only "System" and "Administrator"

except cmd.exe since plesk needs Plesk User(Plesk Administrative Account) which is member of administrators group
seems to be the only suspect.

I have read about people getting hacked using plesk with servers constantly.

i believe there may be big vulnerability with plesk administrative account where some hacker groups already
explored and using it.

people observer similar attacks please post here

knocx

Bingo!

Some hackers explored Plesk Administrator Account, by using it they can control your server.I think there is default password for this account.
 
You mean, those who have been hacked had set a weak password for the Administrator account?
 
make sure that you guys that are being hacked with the index changes do not have any fckeditors on ya domains with the filemanager enabled.

it allows people to uplaod asp files even though it is meant to check for images only.

fck editor lamely only chekcs for instr of the image extensions.

so if you have a file. badfile.jpg.asp fckeditor will allow it this file can then be accessed from the net and used to delete / replace files.. most script kiddies are using this to deface the indexes and defaults while leaving the rest of the files intact.

do not ever allo an fck editor onto any of your domains without deleting it's filemanager folder.
 
Curious what kinda firewall are you behind that would allot write access to the NT directory?

Do you have any type of HTTP filtering? Is the default FTP site (anonymous access) disable?
 
anyone knows if sw-soft announced such a vulnerability (constant admin pass for plesk)

we dumped our win servers and still wonder how win world goes :)

i hate to say it but win is **** with plesk since win is not a suitable os for shared hosting enviroment. You have to tweak a win server before using it as a shared server on the other hand psa treats ACL settings in win like linux which is a real vulnerability.

we have win servers without plesk which are secure for ages this is because there are no naive ACL's implemented by psa software.

crerating clients as a group psacln is the main bottleneck of psa since any one whois is a member of psacln can traverse the others dirs :))

i still can see that i can traverse directories in 7.6 win servers easily with asp with php and with perl

the most fun part is i can execute cmd.exe with .NET scripts :) easily on the server. since the default machine config allowsme to do :) .NET is ****

anyone runing plesk on win should beware of compromise.

anyone who thinks he is secure please watch anomalies on your server...

if your server crashes frequently , if you have perf. if you ever had a mysql admin password not working case, problems, please check

c:/winnt/system32 , c:/winnt/repair are there any strange files there like samdump and other strange executables

good luck
knocx
 
Back
Top