1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Hacked like a charm...

Discussion in 'Plesk for Windows - 8.x and Older' started by knocx, Mar 5, 2006.

  1. knocx

    knocx Guest

    0
     
    It happened again... 2 compromises in 2 days...

    Fully Patched fresh Windows 2003 with PLESK 7.5.6 Compromised in 30 minutes after rebuild !!!

    here is How attack occurs
    ==========================

    first we observe service.dll Nadeware.msi in system32 folder and then we observe an account named help added to administrators group !

    this thing is weird since after each rebuild i did an ACL fix for following files ,
    before bringing any service online, during rebuild and reconfiguration none of the
    services was active (all ports were closed)

    explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe,
    finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe,
    regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe,
    telnet.exe, tftp.exe, tracert.exe, usrmgr.exe, wscript.exe, cscript.exe, exetobin.exe and xcopy.exe
    where those files are only accessible by only "Administrator"

    Wscript.Shell , Wscript.Shell.1 , Wscript.Network Wscript.Network.1 removed

    all unneeded services like indexing service remote registry ...were disabled

    And all critical folders were properly configured

    where those directories are only accessible by only "System" and "Administrator"

    except cmd.exe since plesk needs Plesk User(Plesk Administrative Account) which is member of administrators group
    seems to be the only suspect.

    I have read about people getting hacked using plesk with servers constantly.

    i believe there may be big vulnerability with plesk administrative account where some hacker groups already
    explored and using it.

    people observer similar attacks please post here

    knocx
     
  2. kami@

    kami@ Guest

    0
     
    Our window server with plesk 7.5.5 was also hacked 2 days ago.
    A group of turkish hackers were able to deface all siites on the server bay uploading a number of index pages to the sites.

    Hope someone from plesk look into this issue.
     
  3. colinjack

    colinjack Guest

    0
     
    Any idea how they did it?

    Colin :mad:
     
  4. tdscom

    tdscom Guest

    0
     
    - Do you have a hardware firewall?

    - Are you running any site with PHP enabled?
     
  5. kami@

    kami@ Guest

    0
     
    Apparently there is a big security volunerability for window server running plesk and has nothing to do with php.
    there are a number of threads in webhostngtalk.com with people facing the same issue over the last 2 weeks.

    Somehow the hackers are able to upload index.htm, index.html, index.php...... to every single site on the sever.

    Please see the following threads;
    http://forum.swsoft.com/showthread.php?s=&threadid=32636&highlight=hacked

    http://forum.swsoft.com/showthread.php?s=&threadid=33340&highlight=hacked

    I am hopping the plesk developers look into this issue eargently and come up with some sort of patch.

    :(
     
  6. tdscom

    tdscom Guest

    0
     
  7. Toepes

    Toepes Guest

    0
     
    Hacked like hell.....

    Hackers use FTP to upload bad content (pfishing). Every night again.
    The server must be new installed but i am afraid to restore the backups of the domains as there could be bad stuff in it.

    This is wat i did until now.

    - I deleted all bad things that were uploaded that i found in the logfiles.

    - Hacked sites received new passes and login

    - FTP is blocked for several hours when login is wrong for 3 times

    what else could be done. I am realy desperate. !
     
  8. EuroMaverick

    EuroMaverick Guest

    0
     
    Hello people,

    I realise this is a pretty stupid question, but I just don't see it: I installed the security patch and all went well. How can I, in general, see however, if this patch is installed.

    Even more, how can I see in general what updates have been installed and what build I am on ?

    Regards,

    Mav.
     
  9. mlovick

    mlovick Guest

    0
     
    Go to add/remove programs. You can see all the patches installed.
     
  10. EuroMaverick

    EuroMaverick Guest

    0
     
    I suppose you mean in the Windows control panel ?

    That is correct, but the secuirty patch is not presented here.

    Also, on the "normal" updates, only the most recently installed is visible. This is Ok if each update replaces the previous onces, but I am not sure that is actualy the case - would be nice to get some confirmation on this...

    Regards,

    Mav.
     
  11. resellertr

    resellertr Regular Pleskian

    25
    57%
    Joined:
    Jul 14, 2004
    Messages:
    133
    Likes Received:
    0
    Bingo!

    Some hackers explored Plesk Administrator Account, by using it they can control your server.I think there is default password for this account.
     
  12. tdscom

    tdscom Guest

    0
     
    You mean, those who have been hacked had set a weak password for the Administrator account?
     
  13. resellertr

    resellertr Regular Pleskian

    25
    57%
    Joined:
    Jul 14, 2004
    Messages:
    133
    Likes Received:
    0
    Yes;

    Not windows administrator account, Plesk Administrator account.
     
  14. Zan_

    Zan_ Guest

    0
     
    make sure that you guys that are being hacked with the index changes do not have any fckeditors on ya domains with the filemanager enabled.

    it allows people to uplaod asp files even though it is meant to check for images only.

    fck editor lamely only chekcs for instr of the image extensions.

    so if you have a file. badfile.jpg.asp fckeditor will allow it this file can then be accessed from the net and used to delete / replace files.. most script kiddies are using this to deface the indexes and defaults while leaving the rest of the files intact.

    do not ever allo an fck editor onto any of your domains without deleting it's filemanager folder.
     
  15. lordElrond

    lordElrond Guest

    0
     
    Curious what kinda firewall are you behind that would allot write access to the NT directory?

    Do you have any type of HTTP filtering? Is the default FTP site (anonymous access) disable?
     
  16. knocx

    knocx Guest

    0
     
    anyone knows if sw-soft announced such a vulnerability (constant admin pass for plesk)

    we dumped our win servers and still wonder how win world goes :)

    i hate to say it but win is **** with plesk since win is not a suitable os for shared hosting enviroment. You have to tweak a win server before using it as a shared server on the other hand psa treats ACL settings in win like linux which is a real vulnerability.

    we have win servers without plesk which are secure for ages this is because there are no naive ACL's implemented by psa software.

    crerating clients as a group psacln is the main bottleneck of psa since any one whois is a member of psacln can traverse the others dirs :))

    i still can see that i can traverse directories in 7.6 win servers easily with asp with php and with perl

    the most fun part is i can execute cmd.exe with .NET scripts :) easily on the server. since the default machine config allowsme to do :) .NET is ****

    anyone runing plesk on win should beware of compromise.

    anyone who thinks he is secure please watch anomalies on your server...

    if your server crashes frequently , if you have perf. if you ever had a mysql admin password not working case, problems, please check

    c:/winnt/system32 , c:/winnt/repair are there any strange files there like samdump and other strange executables

    good luck
    knocx
     
Loading...