1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

New exploit in the wild?

Discussion in 'Plesk for Linux - 8.x and Older' started by placain, Jun 29, 2005.

  1. placain

    placain Guest

    Someone logged in to my site today (from Romania, according to the log - I'm in the US) and created a bunch of spam domains. (One was "powder.biz", which is registered to someone in Pakistan...")

    There is no possible way they could have guessed my password - before I changed it, it was U2Pvf$k_3x.

    I am extraordinarily careful about my password - I only ever log in to my Plesk install from my home computer, and only over https.

    This leads me to one conclusion - there's an exploit in the wild. Has anyone else started seeing this?
  2. smtalk

    smtalk Guest

    Plesk admin password is in /etc/psa/.psa.shadow, maybe they got this file.
  3. placain

    placain Guest

    -rw------- 1 psaadm psaadm 8 Jun 29 17:42 .psa.shadow

    Am I correct that in order to read that file they would have to be root on my machine?

    That's an even worse problem, if so...
  4. jamesyeeoc

    jamesyeeoc Guest

    Check your /tmp for funny files, run RKHunter and Chkrootkit. Sounds like it's time for a serious security check.
  5. Xtreme-IT

    Xtreme-IT Guest

    In the mean while you can adjust your firewall module only to allow management traffic to your plesk box from your home (fixed IP).

    Set this for both ssh and admin https and you have some extra time to fix your problems.