Plesk 8.2 appears vulnerable

[pseconds]

Hi, I just ordered a new win2k3 server with Plesk 8.2 from ThePlanet - It appears that a rootkit was added within a few days of getting the server and they are recommending reloading the OS. This is very interesting to me since I have not actually used my server yet. They stated they have several Plesk 8.2 servers in this same situation and have asked Plesk to investigate.

I used this to find the root kit:
http://www.microsoft.com/technet/sysinternals/Utilities/RootkitRevealer.mspx

When I got my server, I immediatly added a new admin user with a very complex password and disabled the administrator users ID. Logged out, that's it. Came back 2 days later and the box was compromised.

Has anyone heard about this or having a similar situation?

 

[osv1]

did you scan it for the rootkit the day that you received it? perhaps the master install that you got from theplanet was contaminated.

were you able to confirm the existance of the rootkit with any other virus software?

 

[pseconds]

Yep, I scanned it when I got it, it was clean. I didn't use any other program to validate a root kit, but did find many gig's of software and movies had been placed on the server outside of the inetpub folder.

I had the box reloaded again, scanned it, it is clean. Implimented the Plesk firewall and IPsec. I'll just let it run for a few days and see if it gets hit again.

 

[osv1]

scary! please let us know what the resolution is.

i wonder if it was an inside job by an employee at the datacenter, or an issue with their local network? it just seems so improbable that a brand new plesk install could have internet security hole like that.

 

[JackL]

Plesk's last vulnerability was fixed in 8.2.01 update and was caused by css issues.
But your described rootkit perhaps the result of firewall issues or MailEnable services.
Please specify what kind of rootkit you have found (tip: try to create libssl32.dll file )
John S.G.

 

[henry@]

pseconds go and get a dedicated server here: www.softlayer.com the os reloads are FREE! I am with softlayer for almost a year now and 100% uptime NEVER problems.

 

[hamed23100]

i have same problem

Hi,

I have experenced same problem, my problem begins 40 days ago,
I restarted server it didnt come back, so OS Reload, restoring plesk backups, one week later i Restarted Server and then server didnt come back again, so OS Reload,
Again and again, I bought Firewall for server(cisco checkpoint X16) this time F-Secure unistalled every day, the planet installed it and it unistall, after all problems they said 3 days ago that there is a problem with plesk and i should wait for Solution From SWSoft,
I mention that i had F-Secure from time i got server and i had no problem for 4 monthes,

I also ask anyone who experenced something like these to tell us,

Regards,
Hamed

 

[amclint]

Same exact thing happened to me, brand new plesk 8.2 server from theplanet and it was hacked within a week. Supposedly it had all the windows updates installed, but I didn't have a chance to confirm that. I had an os reload done, and the next time didn't have an issue but I quickly went through hardening procedures while remote access was denied.

Lesson learned: never trust theplanet technicians, always double check everything they do because they have screwed up my servers countless times.

 

[blipper]

****, my 8.2 is infected too!

****! I just ran the rootkit revealer application, but I had to do it by logging into the console, using "mstsc /v:SERVERNAME /console" in order to run the rootkitrevealer.

I've run windows servers for years, never had a problem. I just got my first plesk server in October, thought I did all my typical hardening procedures, but it appears that I now have the Hackerdefender rootkit also. I did notice that even though I've only got 40 or so websites on it that it was consuming a ton of bandwidth, but never looked into where that as coming from. Now that I see dozens of European feature films stored on the server, but not in any client folders, I know where my nadwidth is going.

I'm scanning my other 20 non-plesk serves this morning too, but so far Plesk is the only one infected.

So how do I recover from this and prevent this from happening again?

 

[hamed23100]

problem is with plesk with no doubt

Hi,

Are you theplanet user?
is there any one else with same problem in other datacenters?

I have chated with theplanet support today, and they said me this is plesk problem, and i found out rootkits can go just by os reload, both from microsoft side or swsoft side???? what do you think??

may i also know what attacker has done with your server?

I also heard this rootkit was announced first by a mexican hacker? have any one heard regarding that?

I hope also one of swsoft supports come here and answer others question and confirm this problem.

Regards,

 

[kami@]

The same thing happened to me 2 months ago. I noticed a sudden rise of disk usage and then I found out someone had uploaded tons of heavy files to my window temp folder.

I was runing plesk 8.1.0 in The planet data center.

I upgraded to a new server and so far it has been working ok.

 

[hamed23100]

Anyone in anyother datacenter with same problem

Hi,

Does Anyone has same problem that his server be in another datacenter?
Or any other expriences?

Regards,

 

[resellertr]

Yes I have this problem on every plesk server. I blocked all rdp ports from firewall then it is solved.

 

[hamed23100]

Where is your server

Hi,

is your server in theplanet?

Regards,
Hamed

 

[resellertr]

No,

Softlayer, LayeredTech, Netdirect and Local datacenter.

There is no problem with datacenters, Plesk is the problem. I have seen more than 100 servers, %90 of this servers have this problem.

 

[kami@]

And how do you go about blocking all rdp ports from firewall?
Do you do this through Pleak admin panel under:
Server > IP Addresses > Firewall >Remote Desktop

By doing this, do you need to enable it in plesk panel everytime you need
to login to server by RDP???


Thanks

 

[hamed23100]

this is not resonable way

Hi,

This is not resonable way. Because theplanet needs to connect to server,
I want to know the resons.

Regards,
Hamed

 

[resellertr]

And how do you go about blocking all rdp ports from firewall?
Do you do this through Pleak admin panel under:
Server > IP Addresses > Firewall >Remote Desktop

By doing this, do you need to enable it in plesk panel everytime you need
to login to server by RDP???


Thanks

I blocked all ports then I made some rules;

Deny All
Allow All > Port 21,25,53,80,110,443,8443
Allow Only From MY IP ( Static DSL IP ) > Port 3389 ( RDP )

If you block 3389 ( RDP ), they can only create user but they can not login.
If you don't block 3389 ( RDP ), they create user, add user to administrator group then login via RDP and install whatever they want

 

[hamed23100]

this is not good way because

hi

I know this prevent, but what you do if plesk breaks, some times even plesk login page do not come and it needs reconfiguration, if you blocked RDP so you can not loggin to plesk and login to RDP so no access to any thing, i have cisco checkpoint X16 but i still afraid of closing RDP Port. and also if this is a plesk hole so hacker can come and activate RDP from plesk admin? cant he?

And i want to know if you see any one logging in your server with administrator user?

Regards

 

[resellertr]

I always allow access to port 3389 FROM MY IP, I block for others to access RDP.

they create user, add user to administrator group and login to server with new user. They don't login with administrator user password. Members of Administrators Group can login via RDP.

If you have STATIC IP you can add to firewall config like me. If you have dynamic IP don't do that, you can not login via RDP too.