1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Install plesk 8.6 from parallel server may be hacked?

Discussion in 'Plesk for Linux - 8.x and Older' started by Smashing, Feb 10, 2010.

  1. Smashing

    Smashing New Pleskian

    20
    40%
    Joined:
    Jan 14, 2010
    Messages:
    13
    Likes Received:
    0
    I installed plesk 8.6 on fedora 8 recently. But when I used rkhunter to check server.
    The result show /bin/ls, /bin/netstat, /bin/ps , /bin/find, /usr/bin/md5sum, /usr/bin/pstree, /usr/bin/top
    /sbin/ifconfig, /usr/sbin/lsof has been changed, and found SHV4, SHV5 Rootkit.
    And when I used netstat to check connection. I can't find port 80. Why? The httpd is start. But can't find 80 port??
    And there is unknow traffic everyday.
    What happend?
    Before I installed plesk I also used rkhunter to check server. And everything is fine.
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,576
    Likes Received:
    1,244
    Location:
    Novosibirsk, Russia
    Where you have downloaded Plesk distribution package? Do you really think that official Plesk installation package has infected files inside?
     
  3. Smashing

    Smashing New Pleskian

    20
    40%
    Joined:
    Jan 14, 2010
    Messages:
    13
    Likes Received:
    0
    I download parallels_installer_v3.4.1_build090204.18_os_FedoraCore_8_i386 from http://www.parallels.com/download/plesk86/

    And I try it again. I installed a new server. and I use rkhunter to check server everything is ok. But after I installed the plesk the rkhunter find 2 rootkit. And /bin/ls, /bin/netstat, /bin/ps , /bin/find, /usr/bin/md5sum, /usr/bin/pstree, /usr/bin/top, /sbin/ifconfig, /usr/sbin/lsof has been changed.
    It seems plesk changed the file.

    I hope offical plesk package is ok. But everything seems so unusual.
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,576
    Likes Received:
    1,244
    Location:
    Novosibirsk, Russia
    But why you don't wish to use latest 9.3.0 Plesk version?
    8.6.0 is very-very old Plesk.
     
    Last edited: Feb 10, 2010
  5. Smashing

    Smashing New Pleskian

    20
    40%
    Joined:
    Jan 14, 2010
    Messages:
    13
    Likes Received:
    0
    Because I have bought the plesk 8.6 license. I do not have 9.x.
    And I install it on the amazon ec2 server. Plesk 9.x seems have problem to install on ec2.
     
  6. Smashing

    Smashing New Pleskian

    20
    40%
    Joined:
    Jan 14, 2010
    Messages:
    13
    Likes Received:
    0
    I attached the rkhunter log both before and after installed plesk.
     

    Attached Files:

  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Thats definitely suspicious, but difficult to say if its malicious or not. Those warning are coming up because the immutable bit is set on those binaries, and that you have a non-root UID 0 account (plesk-root). Youre definitely running an unsupported OS too (FC8 was EOL'd in 2008 I think).
     
  8. Smashing

    Smashing New Pleskian

    20
    40%
    Joined:
    Jan 14, 2010
    Messages:
    13
    Likes Received:
    0
    I know fedora 8 is old. But Amazon EC2 officical ami only have fedora 8 version. I only trust ami from Amazon. So this is the only one choice. My System is built by Amazon officical ami and I only used yum to install rkhunter and tripwire before installed plesk 8.6. And I did those step within 2 hours. And the plesk-root is beed added after I installed plesk.

    I really have no idea what happend. I will try to install plesk on my own server. And maybe I will download the full install package to local and install it.
     
  9. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    The system could be compromised then, that environment is highly exploitable
     
  10. Smashing

    Smashing New Pleskian

    20
    40%
    Joined:
    Jan 14, 2010
    Messages:
    13
    Likes Received:
    0
    Thank you, Atomicurtle. I will try another solution.
     
Loading...