• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

JS files being hacked, even after micro-updates

Yes the filemanager doesn't work then till you rename it to the old name again. But ask yourself, what's more important, a web based filemanager which is used by automated scripted to get into your system or to resign the web based filemanager and be secure (related to the atm used automated scripts).

mv /usr/local/psa/admin/bin/filemng /usr/local/psa/admin/bin/filemng_disabled

Should do the job. But be warned: If they grabed the passwords, they could change their scripts to login via FTP and not over Web via filemng.
 
Thanks for the help.

I have cleaned the files, I am going to reset the passwords and apply this workaround.

Keep waiting a Parallels Solution.

Best Regards
 
Antonio Sanchez said:
I have bad news.

One of our servers, desinfected, patched, password changed and session removed has been hacked again this night.

Our clients are complaining about it is the third time it happens. It is critical to solve this issue.

Any thought about how to do it and why it has happened again?

Best Regards
Click to expand...

Please send me in PM root access to this server, if possible. Our security team will check this issue. After investigation I will publish results here.
 
Some recent vulnerability claims seem to be based on old vulnerabilities that already have been patched –but possibly where Passwords were not completely reset or where Customers changed back to old and vulnerable passwords. We are currently investigating this new reported vulnerability on Plesk 10.4 and earlier. At this time the claims are unsubstantiated and we are unable to confirm this vulnerability and cannot confirm that this vulnerability is limited to any specific operating system.

Read more information in the article http://kb.parallels.com/en/114330
 
I can assure that the password has not been re-used. I have patched the server 3 times, reset password 3 times, delete sessions 2 times, and cleanup the infected files 3 times.

The result is that the last night I was hacked from a Pakistan ISP. If I see the logs in /usr/local/psa/admin/logs I can find the same injection over the FileManager

Best Regards
 
Antonio Sanchez said:
I can assure that the password has not been re-used. I have patched the server 3 times, reset password 3 times, delete sessions 2 times, and cleanup the infected files 3 times.

The result is that the last night I was hacked from a Pakistan ISP. If I see the logs in /usr/local/psa/admin/logs I can find the same injection over the FileManager

Best Regards
Click to expand...

Let's investigate it and publish results here! Where is your login credentials in PM?
 
Antonio Sanchez, I have received following report from Security Team regarding your server:

I’m analysed hacked server. It’s Plesk 9.2.3 on Ubuntu 8.04.

Facts:

1. Last API-RPC invocations were registered April, 20.
2. First bot login registered June, 16.
3. It looks like bots were in development/debug until June, 27 – until this time bots either didn’t try any file manager action or were unsuccessful in such actions.
4. There are only one client that owns several domains and admin that owns one domain.
5. Domains owned by client are attacked, domain owned by admin is not attacked.
6. Ubuntu security updates are not installed for a very long time – many packages are vulnerable (for example, apache2 and mysql-server-5.0).

My conclusion:

Option 1: Client credentials are stolen outside of the Plesk. Since it’s claimed that password was reset 3 times, most probably it’s stolen by virus/trojan persistent in client’s desktop used to connect to the server.
Option 2: Client credentials are stolen through vulnerable system package – for example, MySQL server.
 
Since previous hack I've get absolutely new hack. Parallels, why we pay for insecure product? We've paid for product that lacks security updates. I'm very afraid that FreeBSD has dropped out from support OS list. And now also Parallels products has vulnerable. Micro Updates doesn't help because I get new javascript hack few days ago
 
AndrisV said:
Since previous hack I've get absolutely new hack. Parallels, why we pay for insecure product? We've paid for product that lacks security updates. I'm very afraid that FreeBSD has dropped out from support OS list. And now also Parallels products has vulnerable. Micro Updates doesn't help because I get new javascript hack few days ago
Click to expand...

Did you read it? http://kb.parallels.com/114396
 
Red previous posts

Prviously I have Hack based on "km0ae9gr6m" javascript infection, I removed it. After few weeks my sites was hacked again by another type of .js infections by exploiting Plesk panels web interface.

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString
 
IgorG said:
How do you determine it?
Click to expand...

JS Files have changed. First AVG protect reported website that have mallware, then I checked files that are modified. I restored previous version of files and submited to webmaster tools @ google that site doesn't contain mallware.
 
You can send login credentials for your Plesk server to me in PM. Our Security Team will check your server and after that I publish result of investigation in this thread.
 
You must log in or register to reply here.
Back
Top