• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Hacking attempt!

indy0077

Basic Pleskian
Hi,

today happend something what we didn't expect and we had a long time (means many years) peace of mind.
I don't know why I did it, but openned the 'Active Plesk Sessions' section and saw there are two admins logged in. One was me and the other one was logged in as 'admin' with an IP '122.53.58.30' which is from Philippines.

Immediately changed the admin password and blocked the whole IP block. Then I looked at the logs, what happen. Here are the entries, just to get an idea how they cracked the password or what's ever.

Plesk error log:

[Fri Sep 01 08:29:54.144835 2017] [proxy_fcgi:error] [pid 7888:tid 140564548777728] [client 122.53.58.30:29704] AH01071: Got error 'PHP message: PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/home/admin/httpdocs/whmcsinstallation/configuration.php) is not within the allowed path(s): (/var/www/vhosts/xyz.com/:/tmp/) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 880\nPHP message: PHP Warning: file_get_contents(/home/admin/httpdocs/whmcsinstallation/configuration.php): failed to open stream: Operation not permitted in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 880\nPHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:891\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 891\n', referer: .xyz Domain Names | Join Generation XYZ
[Fri Sep 01 08:30:29.821686 2017] [proxy_fcgi:error] [pid 7808:tid 140564448065280] [client 122.53.58.30:29728] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:30:37.247400 2017] [proxy_fcgi:error] [pid 7808:tid 140564531992320] [client 122.53.58.30:29732] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:30:53.470007 2017] [proxy_fcgi:error] [pid 7832:tid 140564582348544] [client 122.53.58.30:29741] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:31:20.290011 2017] [proxy_fcgi:error] [pid 7832:tid 140564615919360] [client 122.53.58.30:29537] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:891\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 891\n', referer: .xyz Domain Names | Join Generation XYZ
[Fri Sep 01 08:31:28.826262 2017] [proxy_fcgi:error] [pid 7808:tid 140564719195904] [client 122.53.58.30:29541] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php:919\nStack trace:\n#0 {main}\n thrown in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php on line 919\n'
[Fri Sep 01 08:36:34.972675 2017] [proxy_fcgi:error] [pid 7832:tid 140564490028800] [client 122.53.58.30:29619] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'
[Fri Sep 01 08:36:36.795446 2017] [proxy_fcgi:error] [pid 7832:tid 140564490028800] [client 122.53.58.30:29619] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'
[Fri Sep 01 08:36:51.409627 2017] [proxy_fcgi:error] [pid 7888:tid 140564464850688] [client 122.53.58.30:29630] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'
[Fri Sep 01 08:46:11.106343 2017] [proxy_fcgi:error] [pid 7888:tid 140564515206912] [client 122.53.58.30:29571] AH01071: Got error 'PHP message: PHP Parse error: syntax error, unexpected ''JGN1cnJlbnRGaWxlID0gJF9TRVJWR' (T_ENCAPSED_AND_WHITESPACE) in /var/www/vhosts/xyz.com/httpdocs/whmcsinstallation/lol.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 1\n'


Login attempts:

122.53.58.30 [2017-09-01 08:24:36] 'CP User Login Attempt Failed' ('Login Name': 'xyz' => '')
122.53.58.30 admin [2017-09-01 08:24:42] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:38:16] 'CP User Logout' ('Contact Name': 'Administrator' => '')
122.53.58.30 admin [2017-09-01 08:38:27] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:48:27] 'Update Physical Hosting' ('Client GUID': 'e01be7f8-ed52-4c69-a16e-0f293aab8169' => 'e01be7f8-ed52-4c69-a16e-0f293aab8169', 'Domain GUID': '73974401-c369-424c-ad1b-983301fd48ad' => '73974401-c369-424c-ad1b-983301fd48ad', 'Domain Name': 'xyz.com' => 'xyz.com', 'System Shell': '/bin/false' => '/bin/bash')

They also uploaded a file called 'lol.php' into our WHMCS installation. The file is attached for checking.

Any idea what happened, how to avoid this in the future etc. and any tips?

Many thanks
 

Attachments

  • lol.zip
    12.9 KB · Views: 7
Last edited:
Hi indy0077,

I'm sorry to hear/read, that you experienced hacker attempts on your server/webspace, but to be honest, I doubt that they are "Plesk related" at all.

If you experience issues/errors/problems with a WHMCS installation, pls. note that they offer as well additional security advices / docs, like for example:




Pls. open a new thread at

=> Home > Forum > General Discussion > Open Topics

... if you would like to discuss non-Plesk - related issues/errors/problems. ;)
 
Thank's for you advice 'UFHH01', but the WHMCS security recommendations have been done on our installations years ago.

Also they didn't access our WHMCS account, but they logged in into our PLESK account, so I doubt it's a WHMCS related issue.

122.53.58.30 admin [2017-09-01 08:24:42] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:38:16] 'CP User Logout' ('Contact Name': 'Administrator' => '')
122.53.58.30 admin [2017-09-01 08:38:27] 'CP User Login' ('Contact Name': '' => 'Administrator')
122.53.58.30 admin [2017-09-01 08:48:27] 'Update Physical Hosting' ('Client GUID': 'e01be7f8-ed52-4c69-a16e-0f293aab8169' => 'e01be7f8-ed52-4c69-a16e-0f293aab8169', 'Domain GUID': '73974401-c369-424c-ad1b-983301fd48ad' => '73974401-c369-424c-ad1b-983301fd48ad', 'Domain Name': 'xyz.com' => 'xyz.com', 'System Shell': '/bin/false' => '/bin/bash')


Thanks
 
Hi, you can mark it as "RESOLVED" but the fact is it is not and you are not right with your statement, it is WHMCS related.

After further investigation, they used the Plesk 'admin' account to be logged in and also as you can see in the last log line, they changed the 'Access to the server over SSH' from 'False' to '/bin/bash'
 
Again today, we noticed that someone with a Philippines IP was logged in into our Plesk admin panel.

screenshot - Date  2017-09-09 Time  19-27-43.jpg
 
Hi indy0077,

consider to contact the official Plesk support => Contact Plesk Support , where experienced support engineers help you to investigate the issue together with you. Deeper investigations directly on your server have to be done, which is impossible over threads/posts at the Plesk Community Forum. :(
 
Ok, but that means for me to buy a license directly from PLESK as OVH is not able to fix it due lack of experience and knowledge.
 
Hi indy0077,

if the OVH support is not able to solve the issue(s), they will/should create a support ticket based on the partner contract with Plesk. ;)
 
Back
Top