K
knocx
Guest
It happened again... 2 compromises in 2 days...
Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised in 30 minutes after rebuild !!!
here is How attack occurs
==========================
first we observe service.dll Nadeware.msi in system32 folder and then we observe an account named help added to administrators group !
this thing is weird since after each rebuild i did an ACL fix for following files ,
before bringing any service online, during rebuild and reconfiguration none of the
services was active (all ports were closed)
explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe,
finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe,
regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe,
telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe
where those files are only accessible by only "Administrator"
Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed
all unneeded services like indexing service remote registry ...were disabled
And all critical folders were properly configured
where those directories are only accessible by only "System" and "Administrator"
except cmd.exe since plesk needs Plesk User(Plesk Administrative Account) which is member of administrators group
seems to be the only suspect.
I have read about people getting hacked using plesk with servers constantly.
i believe there may be big vulnerability with plesk administrative account where some hacker groups already
explored and using it.
people observer similar attacks please post here
knocx
Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised in 30 minutes after rebuild !!!
here is How attack occurs
==========================
first we observe service.dll Nadeware.msi in system32 folder and then we observe an account named help added to administrators group !
this thing is weird since after each rebuild i did an ACL fix for following files ,
before bringing any service online, during rebuild and reconfiguration none of the
services was active (all ports were closed)
explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe,
finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe,
regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe,
telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe
where those files are only accessible by only "Administrator"
Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed
all unneeded services like indexing service remote registry ...were disabled
And all critical folders were properly configured
where those directories are only accessible by only "System" and "Administrator"
except cmd.exe since plesk needs Plesk User(Plesk Administrative Account) which is member of administrators group
seems to be the only suspect.
I have read about people getting hacked using plesk with servers constantly.
i believe there may be big vulnerability with plesk administrative account where some hacker groups already
explored and using it.
people observer similar attacks please post here
knocx