• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Hacking attempt!

I

indy0077

Basic Pleskian
Hi,

today happend something what we didn't expect and we had a long time (means many years) peace of mind.
I don't know why I did it, but openned the 'Active Plesk Sessions' section and saw there are two admins logged in. One was me and the other one was logged in as 'admin' with an IP '122.53.58.30' which is from Philippines.

Immediately changed the admin password and blocked the whole IP block. Then I looked at the logs, what happen. Here are the entries, just to get an idea how they cracked the password or what's ever.

Plesk error log:

[Fri Sep 01 08:29:54.144835 2017] [proxy_fcgi:error] [pid 7888:tid 140564548777728] [client 122.53.58.30:29704] AH01071: Got error 'PHP message: PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/home/admin/httpdocs/whmcsinstallation/configuration.php) is not within the allowed path(s): (/var/www/vhosts/xyz.com/:/tmp/) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 880\nPHP message: PHP Warning: file_get_contents(/home/admin/httpdocs/whmcsinstallation/configuration.php): failed to open stream: Operation not permitted in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 880\nPHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:891\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 891\n', referer: .xyz Domain Names | Join Generation XYZ
[Fri Sep 01 08:30:29.821686 2017] [proxy_fcgi:error] [pid 7808:tid 140564448065280] [client 122.53.58.30:29728] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:30:37.247400 2017] [proxy_fcgi:error] [pid 7808:tid 140564531992320] [client 122.53.58.30:29732] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:30:53.470007 2017] [proxy_fcgi:error] [pid 7832:tid 140564582348544] [client 122.53.58.30:29741] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:31:20.290011 2017] [proxy_fcgi:error] [pid 7832:tid 140564615919360] [client 122.53.58.30:29537] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:891\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 891\n', referer: .xyz Domain Names | Join Generation XYZ
[Fri Sep 01 08:31:28.826262 2017] [proxy_fcgi:error] [pid 7808:tid 140564719195904] [client 122.53.58.30:29541] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:36:34.972675 2017] [proxy_fcgi:error] [pid 7832:tid 140564490028800] [client 122.53.58.30:29619] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'
[Fri Sep 01 08:36:36.795446 2017] [proxy_fcgi:error] [pid 7832:tid 140564490028800] [client 122.53.58.30:29619] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'
[Fri Sep 01 08:36:51.409627 2017] [proxy_fcgi:error] [pid 7888:tid 140564464850688] [client 122.53.58.30:29630] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'
[Fri Sep 01 08:46:11.106343 2017] [proxy_fcgi:error] [pid 7888:tid 140564515206912] [client 122.53.58.30:29571] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'

Login attempts:

122.53.58.30 [2017-09-01 08:24:36] 'CP User Login Attempt Failed' ('Login Name': 'xyz' => '')
122.53.58.30 admin [2017-09-01 08:24:42] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:38:16] 'CP User Logout' ('Contact Name': 'Administrator' => '')
122.53.58.30 admin [2017-09-01 08:38:27] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:48:27] 'Update Physical Hosting' ('Client GUID': 'e01be7f8-ed52-4c69-a16e-0f293aab8169' => 'e01be7f8-ed52-4c69-a16e-0f293aab8169', 'Domain GUID': '73974401-c369-424c-ad1b-983301fd48ad' => '73974401-c369-424c-ad1b-983301fd48ad', 'Domain Name': 'xyz.com' => 'xyz.com', 'System Shell': '/bin/false' => '/bin/bash')

They also uploaded a file called 'lol.php' into our WHMCS installation. The file is attached for checking.

Any idea what happened, how to avoid this in the future etc. and any tips?

Many thanks
 

Attachments

  • lol.zip
    12.9 KB · Views: 7
Last edited:
Hi indy0077,

I'm sorry to hear/read, that you experienced hacker attempts on your server/webspace, but to be honest, I doubt that they are "Plesk related" at all.

If you experience issues/errors/problems with a WHMCS installation, pls. note that they offer as well additional security advices / docs, like for example:




Pls. open a new thread at

=> Home > Forum > General Discussion > Open Topics

... if you would like to discuss non-Plesk - related issues/errors/problems. ;)
 
Thank's for you advice 'UFHH01', but the WHMCS security recommendations have been done on our installations years ago.

Also they didn't access our WHMCS account, but they logged in into our PLESK account, so I doubt it's a WHMCS related issue.

122.53.58.30 admin [2017-09-01 08:24:42] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:38:16] 'CP User Logout' ('Contact Name': 'Administrator' => '')
122.53.58.30 admin [2017-09-01 08:38:27] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:48:27] 'Update Physical Hosting' ('Client GUID': 'e01be7f8-ed52-4c69-a16e-0f293aab8169' => 'e01be7f8-ed52-4c69-a16e-0f293aab8169', 'Domain GUID': '73974401-c369-424c-ad1b-983301fd48ad' => '73974401-c369-424c-ad1b-983301fd48ad', 'Domain Name': 'xyz.com' => 'xyz.com', 'System Shell': '/bin/false' => '/bin/bash')

Thanks
 
Hi, you can mark it as "RESOLVED" but the fact is it is not and you are not right with your statement, it is WHMCS related.

After further investigation, they used the Plesk 'admin' account to be logged in and also as you can see in the last log line, they changed the 'Access to the server over SSH' from 'False' to '/bin/bash'
 
Again today, we noticed that someone with a Philippines IP was logged in into our Plesk admin panel.

screenshot - Date 2017-09-09 Time 19-27-43.jpg
 
Hi indy0077,

consider to contact the official Plesk support => Contact Plesk Support , where experienced support engineers help you to investigate the issue together with you. Deeper investigations directly on your server have to be done, which is impossible over threads/posts at the Plesk Community Forum. :(
 
Ok, but that means for me to buy a license directly from PLESK as OVH is not able to fix it due lack of experience and knowledge.
 
Hi indy0077,

if the OVH support is not able to solve the issue(s), they will/should create a support ticket based on the partner contract with Plesk. ;)
 
You must log in or register to reply here.

Similar threads

brother4
Issue Intermittent 503 Errors on Plesk Obsidian (Ubuntu 22.04 LTS) with PHP-FPM Crashes - Seeking Advice
Replies
3
Views
478
brother4
brother4
AdrianC
Question php82-fpm stops responding, how to tune, debug, check variables
Replies
4
Views
1K
AdrianC
AdrianC
S
Issue AH01071: Got error ‘PHP message: PHP Fatal error: Uncaught Error: Class “td_resources_load”
Replies
1
Views
3K
sulabhpuri
S
U
Question redisException: READONLY You can't write against a read only replica
Replies
7
Views
4K
FutureX
F
J
Resolved AH01071: Got error 'PHP message: PHP Warning: Undefined array key "HTTP_X_FORWARDED_PROTO"
Replies
2
Views
3K
JMaartenW
J
Back
Top