We applied the patch on an 8.4 machine and have reset client passwords. Still seeing this in the logs:
Code:
62.122.232.98 - - [23/Feb/2012:05:52:43 -0700] "POST /login_up.php3 HTTP/1.1" 200 1952
...
94.233.164.205 - - [23/Feb/2012:05:53:17 -0700] "GET /logout.php3 HTTP/1.1" 200 290
Any ideas? This is happening at least once a day.
Hello, Jacob. Thanks for reporting. Very appreciated.
Plesk Security team had analyzed the log and then concluded the following.
Seems to be the requests were not made through regular browser, because there were no requests to JavaScript and picture sources at all.
Also, the requests started coming from the IP addresses at approximately same time.
So, you definitely deal with a robot.
If you sort the records of the log by the client IP address you will see the following picture:
Code:
123.252.128.63 - - [23/Feb/2012:05:52:46 -0700] "POST /login_up.php3 HTTP/1.1" 200 285
123.252.128.63 - - [23/Feb/2012:05:52:48 -0700] "GET /plesk/client@8/domain@/?context=domains HTTP/1.1" 303 5
123.252.128.63 - - [23/Feb/2012:05:52:49 -0700] "GET /clients/cl_ed.php3?start=true&previous_page=domain%40 HTTP/1.1" 200 4883
123.252.128.63 - - [23/Feb/2012:05:52:52 -0700] "POST /domains/domains.php3 HTTP/1.1" 303 5
123.252.128.63 - - [23/Feb/2012:05:52:53 -0700] "GET /clients/cl_ed.php3?start=true&previous_page=domains HTTP/1.1" 200 4883
123.252.128.63 - - [23/Feb/2012:05:52:56 -0700] "GET /logout.php3 HTTP/1.1" 200 290
...
95.19.238.63 - - [23/Feb/2012:05:52:46 -0700] "POST /login_up.php3 HTTP/1.1" 200 285
95.19.238.63 - - [23/Feb/2012:05:52:48 -0700] "GET /plesk/client@10/domain@/?context=domains HTTP/1.1" 200 5304
95.19.238.63 - - [23/Feb/2012:05:52:51 -0700] "POST /domains/domains.php3 HTTP/1.1" 200 5288
95.19.238.63 - - [23/Feb/2012:05:52:54 -0700] "GET /logout.php3 HTTP/1.1" 200 290
What common in these series ordered by IP addresses is that:
• The first request in a series is an authorization attempt
• The last request is always a logout request
• Between authorization and logout requests there is a request for getting list of the customer’s domains, and a request for searching domains.
• All series started at approximately same time
• In all series, size of response of the first request is either approximately 280 bytes or 1900 bytes – obviously one value corresponds to successful login attempt and the second to the unsuccessful one.
In two series after a request for getting list of domains and a request for searching domains http client receives error and makes a request to edit personal card of the logged account.
This corresponds to behavior of Plesk when a newly created account authorizes in Panel and is asked to fill some additional information if it was not provided during the account creation. In this case any requests lead to redirection, and such redirections are followed by HTTP clients by default – exactly what you observe.
Three authorization attempts were unsuccessful, five – successful. Two of them were performed by a new account.
So, you may conclude about a series of such type that:
• Authorization was successful
• Authorized party is some Plesk account but not Plesk 'admin'
• The account is newly created.
We may notice that the client with ip 94.233.164.205 made three requests to file manager of the domain 880.
Generalizing everything said above you see the following picture.
• One client IP address corresponds to one account.
• Attacker does not have Plesk 'admin' password.
• The robot works by the following algorithm:
1. Authorize in Panel.
2. Get list of all domains.
3. Parse list of domains.
4. For each found domain go to file manager and upload some files there.
5. Log out.
•
There is no security hole in the Plesk File Manager. The attacker has already obtained a list of credentials by the beginning of attack.
•
Not all Plesk owners and their customers have changed passwords of their Plesk accounts (but some have).
Also, seems to be some Plesk owners generate passwords for new accounts by some predefined pattern, because two of five successful login attempts were made with credentials of newly created accounts, and the attacker has already known the passwords. They might be some sort of “dead souls†who bought hosting but don’t use it.
It's strongly recommended to make sure all passwords of your accounts have been changed if you suspect your Plesk was hacked.