Facebook
Twitter
Antonio Sanchez
New Pleskian
Rename de filemanager? Where?
If you rename the filemanager it is supposed it stops function, isn't it?
Thanks
If you rename the filemanager it is supposed it stops function, isn't it?
Thanks
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
JS files being hacked, even after micro-updates
- Thread starter BrunoMiguel
- Start date
B
Blankster
Guest
Yes the filemanager doesn't work then till you rename it to the old name again. But ask yourself, what's more important, a web based filemanager which is used by automated scripted to get into your system or to resign the web based filemanager and be secure (related to the atm used automated scripts).
mv /usr/local/psa/admin/bin/filemng /usr/local/psa/admin/bin/filemng_disabled
Should do the job. But be warned: If they grabed the passwords, they could change their scripts to login via FTP and not over Web via filemng.
mv /usr/local/psa/admin/bin/filemng /usr/local/psa/admin/bin/filemng_disabled
Should do the job. But be warned: If they grabed the passwords, they could change their scripts to login via FTP and not over Web via filemng.
Antonio Sanchez
New Pleskian
Thanks for the help.
I have cleaned the files, I am going to reset the passwords and apply this workaround.
Keep waiting a Parallels Solution.
Best Regards
I have cleaned the files, I am going to reset the passwords and apply this workaround.
Keep waiting a Parallels Solution.
Best Regards
Please send me in PM root access to this server, if possible. Our security team will check this issue. After investigation I will publish results here.
Some recent vulnerability claims seem to be based on old vulnerabilities that already have been patched –but possibly where Passwords were not completely reset or where Customers changed back to old and vulnerable passwords. We are currently investigating this new reported vulnerability on Plesk 10.4 and earlier. At this time the claims are unsubstantiated and we are unable to confirm this vulnerability and cannot confirm that this vulnerability is limited to any specific operating system.
Read more information in the article http://kb.parallels.com/en/114330
Read more information in the article http://kb.parallels.com/en/114330
Antonio Sanchez
New Pleskian
I can assure that the password has not been re-used. I have patched the server 3 times, reset password 3 times, delete sessions 2 times, and cleanup the infected files 3 times.
The result is that the last night I was hacked from a Pakistan ISP. If I see the logs in /usr/local/psa/admin/logs I can find the same injection over the FileManager
Best Regards
The result is that the last night I was hacked from a Pakistan ISP. If I see the logs in /usr/local/psa/admin/logs I can find the same injection over the FileManager
Best Regards
Let's investigate it and publish results here! Where is your login credentials in PM?
Antonio Sanchez
New Pleskian
I send you a PM some time ago.
I sent list of Parallels IPs to you. Where is login credentials?
Antonio Sanchez, I have received following report from Security Team regarding your server:
I’m analysed hacked server. It’s Plesk 9.2.3 on Ubuntu 8.04.
Facts:
1. Last API-RPC invocations were registered April, 20.
2. First bot login registered June, 16.
3. It looks like bots were in development/debug until June, 27 – until this time bots either didn’t try any file manager action or were unsuccessful in such actions.
4. There are only one client that owns several domains and admin that owns one domain.
5. Domains owned by client are attacked, domain owned by admin is not attacked.
6. Ubuntu security updates are not installed for a very long time – many packages are vulnerable (for example, apache2 and mysql-server-5.0).
My conclusion:
Option 1: Client credentials are stolen outside of the Plesk. Since it’s claimed that password was reset 3 times, most probably it’s stolen by virus/trojan persistent in client’s desktop used to connect to the server.
Option 2: Client credentials are stolen through vulnerable system package – for example, MySQL server.
I’m analysed hacked server. It’s Plesk 9.2.3 on Ubuntu 8.04.
Facts:
1. Last API-RPC invocations were registered April, 20.
2. First bot login registered June, 16.
3. It looks like bots were in development/debug until June, 27 – until this time bots either didn’t try any file manager action or were unsuccessful in such actions.
4. There are only one client that owns several domains and admin that owns one domain.
5. Domains owned by client are attacked, domain owned by admin is not attacked.
6. Ubuntu security updates are not installed for a very long time – many packages are vulnerable (for example, apache2 and mysql-server-5.0).
My conclusion:
Option 1: Client credentials are stolen outside of the Plesk. Since it’s claimed that password was reset 3 times, most probably it’s stolen by virus/trojan persistent in client’s desktop used to connect to the server.
Option 2: Client credentials are stolen through vulnerable system package – for example, MySQL server.
A
AndrisV
Guest
Since previous hack I've get absolutely new hack. Parallels, why we pay for insecure product? We've paid for product that lacks security updates. I'm very afraid that FreeBSD has dropped out from support OS list. And now also Parallels products has vulnerable. Micro Updates doesn't help because I get new javascript hack few days ago
A
AndrisV
Guest
Red previous posts
Prviously I have Hack based on "km0ae9gr6m" javascript infection, I removed it. After few weeks my sites was hacked again by another type of .js infections by exploiting Plesk panels web interface.
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString
Prviously I have Hack based on "km0ae9gr6m" javascript infection, I removed it. After few weeks my sites was hacked again by another type of .js infections by exploiting Plesk panels web interface.
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString
How do you determine it?
A
AndrisV
Guest
JS Files have changed. First AVG protect reported website that have mallware, then I checked files that are modified. I restored previous version of files and submited to webmaster tools @ google that site doesn't contain mallware.