• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

My plesk server was hacked by Anoncoders, twice.

P

Paula1

New Pleskian
Hi there,
My server has been hacked twice this week.

Six days ago (before of the first intrusion) I was using
Plesk version 12.0.18 Update #58
  • My WAF (atomic rules) was probably out of date (WAF On, but Update rules were disabled)
  • My Joomla and Wordpress sites were not using the latest version, but the last update for them it was done around last October.

The intruders left an html file with a message that said "hacked by anoncoders" in every root folder of the sites.

What I did it was to delete the whole content of the folders and restore everything and change all passwords. All of them including root, ftp, and administrator sites.
After of that I upgrade the server.

Two days ago I was using:

CentOS 6.7 (Final)
Plesk version 12.0.18 Update #74 and my server was hacked again.

This time I had

  • IP Address Banning ON
  • Web Application Firewall ON (Atomic Basic ModSecurity Rule set with Update Rules sets to Daily)
  • I use an external firewall provided by my Hosting company 1and1. I have restricted access to ports 22 (ssh) and 21 (ftp) exclusively to my IP address.

All of these settings seem to be working fine because I have done several tests, however the server was hacked.

The intruders lefts 3 files in every root folder of my sites (index.php anoncoders.html index.html)
They left the access logs files empties.(proxy_acces_ssl_log proxy_acces_log acces-log)

There is not any signal that they used ftp or ssh access, (because of my restriction)

I'm going to reimage my server, however I'm worry about the fact that my new server could be vulnerable as to this kind of vandalism.

Is there any way that someone can help me to find what is causing these intrusions?
It could be a new exploit in one of the websites (wordpress plugin or joomla extension) or directly the server?
 
Last edited:
Hi,
I think that Basic ModeSecuruty Rule not offer these protections (malware).
Probably with subscription service you could found more help but I don't know the difference (from Basic to subscription).

Also see this service, probably more useful about your problem (is available a free trial):
https://www.sitelock.com
 
@MicheleB,

Thanks for sharing the relevant information.

It seems to be the case that you were "hacked" from an "internal source".

For example, someone uploading a script or code (happens all the time on WordPress installations) and/or even by mail (somewhat more advanced).

However, since you are 1and1, you also must be aware of the danger that one of the vulnerable servers has opened the entire internal network for attacks (i.e. consider it to be "inside jobs") and it certainly is not the first time that something similar happened on 1and1.

If you ask me, the attacks are originating from the "inside", give the fact that all logs are not showing connection information.

Problem now is twofold

a) internal network connections should also be logged in Plesk, unless you are using a VPS (log information is rather limited): the associated problem is that you cannot use a firewall,

b) when using a VPS, hosted on a master server, files (and their malicious counterparts) can pass the "VPS boundaries": you cannot do anything about that, 1and1 can and should.

These two problems do leave you with rather limited options.

However, protection will be to a higher degree if you are using a "local firewall", for instance the Plesk Firewall.

Just do the following:

- use Fail2Ban to restrict traffic (primarily for the webserver and the mail server), (and)
- allow SSH/FTP to be accessed by only your IP, (and)
- allow Plesk installer/Plesk administrative interface to be accessed by only your IP, (and)
- set MySQL to only allow traffic from localhost (127.0.0.1), (and)
- deny all traffic for all inactive applications, (AND)

the most important parts:

- alter the Fail2Ban "recidive" jail, in order to have settings changed to number of retries: 3 (default 5) and to ban period: any value higher than 604800, (and)
- create a "custom rule" in the Plesk firewall and the persistent malicious IP (with the rule: deny on all ports)

and that´s all.

In order to tweak security for http and https (and even mail) requests, one can also consider to compile a custom Nginx binary, with the GeoIP module (this Nginx module can be used to block requests from a specific country or region).

Hope the above explanation (in outlines) helps a tiny bit.

Regards....
 
Very nice security tips, but i dont buy it. Hackers that "hack a server" leave more the files in the root folder of sites.

To me this looks more to be a hack due to unupdated scripts. Both joomla and wordpress had very severe security updates in december/januari and Paula1 said clearly that:

a: only wordpress and joomla are hacked
b: both where last updated in october.

https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
"WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised"

https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html

The security leak in joomla was so severe they even released updates for version 1.5, altough this has been end of life for a few years now.

So i am a bit surprised no one advised the obvious:

keep scripts up-to-date

subscribe to the mailinglist of the script(s) you are using and update always the minute a security update is released. You can have the most secure server in the world, but when you run a wordpress with a xss hole in it, you WILL get hacked.

regards
Jan
 
@Linulex,

Naturally, I agree with the fact that one should keep software up-to-date, i.e. use the latest version.

However, your response is a little bit biased and/or one-sided, and by that I mean to state that some relevant elements can be added.

First of all: any hacker wanting to enter your system, will enter the system (and really WordPress, Joomla and such alike are the least of your worries).

Second: the WordPress XSS vulnerability has not been that severe, it was just one guy that established to make use (via multiple, very complex steps that would normally not work and certainly not work in an automated script) of the XSS vulnerability and reported this issue back to WordPress development team.

Third: any Plesk installation is by default vulnerable to XSS scripting attacks, in the sense that default Apache and Nginx configuration barely prevent these types of attacks.

Fourth: do not worry about XSS or any other kind of "advanced" attacks, worry about the common attacks (in the majority of cases, spam and brute force attacks).

Fifth: Joomla?!? By that I mean "do not use software that is in essence a big set of old code lines with some improvements and a lot of leaks and performance issues".

Final: the latest trend in hack attacks is that various methods are used, that can be succesfull, irregardless of the question whether software is up-to-date. Consider DDoS attacks, to hide an auxiliary attack to enter the system: weaken the system, force a partial shut down of critical processes, hide the actual attack with common DDoS attacks...and enter the system.

In conclusion, you are right that the obvious solution has not been mentioned.

The problem with obvious solutions is that they are also known to hackers AND that they are NOT the best solutions.

In essence, if you want people to keep out of your system, it is all about firewall, intrusion detection and such alike, not about particular packages like WordPress or Joomla.

As a final remark, there are two approaches to security: complete paranoia or the false feeling of security by setting up firewalls, keeping software up-to-date etc.

Again, anyone having the abilities can enter your system, no worries there: just minimize the probability for such a thing to happen, that is all you can do.

Regards....
 
Offcourse my answer is a little biased. Its even a lot biased.

Because it was an answer to the post of Paula1, not a general lecture about in depth server security.

She said 2 sites with old versions of scripts where hacked. That was the question, so i answered to that.

Regards
Jan
 
@Linulex, Jan,

Sure, I know, but we were both aiming to add general information with respect to methods of preventing hack attacks (if ever possible).

By the way, I am rather suprised about the fact that nobody mentions the fact that using WordPress, Joomla and such alike increases "the attack surface", on the one hand due to the fact that hackers can use one script to attack millions of servers (for instance, those with WP) and on the other hand due to the fact that the before mentioned packages (WP/Joomla) are often installed, but not well-maintained (i.e. the consequence of do-it-yourself approach, often associated with these packages).

I was happy to see that you (directly or indirectly) addressed the issue of proper maintenance to reduce the attack surface.

Regards....
 
You must log in or register to reply here.

Similar threads

C
Question Recovery Plesk from Damaged Ubuntu Server VM
Replies
2
Views
263
learning_curve
learning_curve
J
Question Issue with Laravel on Plesk server - Domain not pointing to the correct directory
Replies
2
Views
5K
JensS
J
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
1
Views
163
Sebahat.hadzhi
Sebahat.hadzhi
T
Question Plesk Migration: How to connect via SSH to Source Server (help needed after many trials)
Replies
3
Views
625
La Linea
L
afuego
Question Best linux for Plesk?
Replies
2
Views
978
afuego
afuego
Back
Top