New exploit in the wild?

[placain]

Someone logged in to my site today (from Romania, according to the log - I'm in the US) and created a bunch of spam domains. (One was "powder.biz", which is registered to someone in Pakistan...")

There is no possible way they could have guessed my password - before I changed it, it was U2Pvf$k_3x.

I am extraordinarily careful about my password - I only ever log in to my Plesk install from my home computer, and only over https.

This leads me to one conclusion - there's an exploit in the wild. Has anyone else started seeing this?

 

[smtalk]

Plesk admin password is in /etc/psa/.psa.shadow, maybe they got this file.

 

[placain]

-rw------- 1 psaadm psaadm 8 Jun 29 17:42 .psa.shadow

Am I correct that in order to read that file they would have to be root on my machine?

That's an even worse problem, if so...

 

[jamesyeeoc]

Check your /tmp for funny files, run RKHunter and Chkrootkit. Sounds like it's time for a serious security check.

 

[Xtreme-IT]

In the mean while you can adjust your firewall module only to allow management traffic to your plesk box from your home (fixed IP).

Set this for both ssh and admin https and you have some extra time to fix your problems.