• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

How do I stop all plesk commands?

I

InterJinn

Guest
A plesk enabled server I manage has been breached several times in the past few weeks. Everytime (that I can see via Plesk logs) the breach has come in through the Plesk management interface. I don't know how it is occurring but I have changed passwords and they are still able to access the plesk management interface. The hacker connects form many different IPs and always sets the account info to Name: Arber, email: [email protected]. When he connects he completely purges existing domains, then creates his own warez domain and uploads software to it. At any rate even after locking down FTP and SSH he still can access the Plesk interface. I have disabled the psa service (service psa stop) and disabled it from the startup options (chkconfig psa off). This disables Plesk sort-of. Unfortunately Plesk then presents a Plesk diagnostics page the following information:

Problems found:
The Plesk control panel service is switched off.
Solutions:
Restart the Plesk control panel service.
The SMTP server service is switched off.
Solutions:
Restart the SMTP server service.
[ Apply Selected Solutions ]

When I click the button somehow the system bypasses the psa service and starts up some stuff. This re-enables the plesk interface and thus makes disabling the service futile. Please tell me how I can prevent Plesk access to my server. I want to be able to turn on Plesk when *I* want to do configuration and leave it off otherwise. Shedding some light on how the attacker is getting into my control panel would also be nice since I've changed the passwords and each time they are able to regain access and relatively easily considering the time delay between re-access.

Thanks,
Rob.
 
atomicturtle said:
That tells me that they have compromised the desktop of a user or user with access to admin on the server.
Click to expand...

Are you suggesting my own desktop or the hosting company's? If it were mine I don't see why they wouldn't just connect via root. But as it stands it's always been through the plesk interface. Additionally I have several other plesk accounts on with different hosting companies that have not been breached.

That said, is there anyway I can prevent plesk from being restarted via the plesk diagnostics interface untill I've had time to investigate further?
 
InterJinn said:
That said, is there anyway I can prevent plesk from being restarted via the plesk diagnostics interface untill I've had time to investigate further?
Click to expand...

Nevermind, I figured it out. I didn't realize Plesk was running off it's own webserver invocation. I've just locked it down in the conf file.

Cheers,
Rob.
 
That would mean your own desktop yes. I have seen malware that just focused on reconfiguring the box over plesk directly rather than using ssh. Are you sure they haven't been using ssh?
 
I saw them come in through SSH yesterday for the first time (I was online at the time even) but they connected using the user for a new domain they had just created. I was always connecting directly via root although I've locked that down now and forced access through a single non root, non domain user. having seen how they do things I don't think they can access root. Each time they have either first changed over the existing ftp user for one of the existing domains and uploaded stuff via FTP (ftp is now shut down) or created a new domain to do the same. With FTP shutdown they must have switched to SSH for file transfer. I guess I will see soon enough if they have root since plesk now has an apache auth in front of it and there's only one way in via SSH. I find it unlikely my own desktop is compromised but I guess I'll find out soon enough.
 
Thanks for the link. This is a new setup so nothing major in place yet. I'll just have it completely re-setup from scratch. My main concern was it happening again if it was a bug someplace being exploited. The hosting company (or maybe it's plesk) unfortunately does send your initial setup password and any password updates to you via plaintext email. Personally I find this ludicrous and a likely point of interception. I run a linux desktop behind a linux firewall, I realize linux can be breached, but I doubt it is my system. My colleague who originally set up the system uses Windows, but when the first breach occurred I eliminated her from the account. So at this time I'm leaning towards email sniffing either via traffic or from a desktop compromise.
 
You must log in or register to reply here.

Similar threads

jola
Issue Firewall stops working
Replies
7
Views
973
Peter van der Kleij
P
X
Question Stopping Dedicated PHP FPM via CLI for single domain
Replies
0
Views
614
xero232
X
K
Question How do I find out what version of Plesk my hosting service is running?
Replies
9
Views
768
kirsteng
K
H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
928
HawkSky
H
I
Issue Modsecurity stops working every night
Replies
13
Views
7K
ivanes82
I
Back
Top