P
perler
Guest
hi,
this morning my logcheck spit something out what looks like a break in attempt somehow related to plesk.
my system is a debian 3.1 box, sshd accepts only key authentication for root, but to provide the secure shell functionality to plesk customers, for plesk users, keyboard authentication is allowed. here is what the log says:
for me, this looks like the attacker knows something about a vulnerability which may allow him to read out the plesk password database.
[UPDATE]
unfortunately i don't have debug logging enabled for my mysql db so i cannot see if the attacker was successful with his SQL query. if someone is logging his mysql db in debug mode and suffers from the same attacks, please have a look and report here, thanks
[/UPDATE]
[UPDATE2]
i run the query the attacker tried on my servers and it didn't return anything, because i don't have a user "root". but, if the attacker knows a username and the attack /would/ work, he would have the plain text password to an account in plesk.
[/UPDATE2]
[UPDATE3]
ok, this looks serious. i simulated the attacker and when the query above queries for a KNOWN user (not root), in the servers logs the plesk users password can be seen in plain text. i'm not sure if the attacker can log the information I can see on MY server somehow on HIS client, but if yes, he /could/ read out plesk users passwords.
what is very disturbing is, that while sshd authentication, mysql accepts queries and spits out results although "keyboard interactive" as authentication method is disabled.
[/UPDATE3]
i cannot see that it worked out in my case, but maybe other users get more problems, so, before further investigating the case, i give here an early warning, check you logs!
i give this info to swsoft too.
feedback welcome,
PAT
this morning my logcheck spit something out what looks like a break in attempt somehow related to plesk.
my system is a debian 3.1 box, sshd accepts only key authentication for root, but to provide the secure shell functionality to plesk customers, for plesk users, keyboard authentication is allowed. here is what the log says:
Jul 15 06:20:56 sshd[22152]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.75.9 4.50 user=root
Jul 15 06:20:56 sshd[22152]: Authentication started for user root
Jul 15 06:20:56 sshd[22152]: Plesk DB connection established successfully
Jul 15 06:20:56 sshd[22152]: Querying SELECT password, type FROM psa.accounts as a, psa.sys_users AS s WHERE a.id = s.account_id AND s.login='root'
Jul 15 06:20:56 sshd[22152]: No user 'root' found
Jul 15 06:20:58 sshd[22152]: error: PAM: Authentication failure for root from 218.75.94.50
Jul 15 06:21:02 sshd[22152]: Authentication started for user root
Jul 15 06:21:02 sshd[22152]: Plesk DB connection established successfully
Jul 15 06:21:02 sshd[22152]: Querying SELECT password, type FROM psa.accounts as a, psa.sys_users AS s WHERE a.id = s.account_id AND s.login='root'
Jul 15 06:21:02 sshd[22152]: No user 'root' found
Jul 15 06:21:03 sshd[22152]: error: PAM: Authentication failure for root from 218.75.94.50
Jul 15 06:21:04 sshd[22152]: (pam_unix) 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2 18.75.94.50 user=root
for me, this looks like the attacker knows something about a vulnerability which may allow him to read out the plesk password database.
[UPDATE]
unfortunately i don't have debug logging enabled for my mysql db so i cannot see if the attacker was successful with his SQL query. if someone is logging his mysql db in debug mode and suffers from the same attacks, please have a look and report here, thanks
[/UPDATE]
[UPDATE2]
i run the query the attacker tried on my servers and it didn't return anything, because i don't have a user "root". but, if the attacker knows a username and the attack /would/ work, he would have the plain text password to an account in plesk.
[/UPDATE2]
[UPDATE3]
ok, this looks serious. i simulated the attacker and when the query above queries for a KNOWN user (not root), in the servers logs the plesk users password can be seen in plain text. i'm not sure if the attacker can log the information I can see on MY server somehow on HIS client, but if yes, he /could/ read out plesk users passwords.
what is very disturbing is, that while sshd authentication, mysql accepts queries and spits out results although "keyboard interactive" as authentication method is disabled.
[/UPDATE3]
i cannot see that it worked out in my case, but maybe other users get more problems, so, before further investigating the case, i give here an early warning, check you logs!
i give this info to swsoft too.
feedback welcome,
PAT