Plesk auto update?!?

[Sempiterna]

I was planning to send the text below to Parallels through a support ticket, but it seems i have to do that through th ereseller... who are probably not even the problem here. So i'll post it below:

--start--
I found out today that my plesk 8.4 has suddenly upgraded itself to version 8.6, causing me to not receive mail for all day due to upgrade problems. This happened on april 1st around 9am CET.

I do not remember having given Parallels permission to do so. This is a live server which is crucial to my operations. I have my reasons for not upgrading a live server, mainly because plesk is known (!) for breaking things when upgrading.

According to the plesk log, this was done via IP 87.117.255.64.

Needless to say that i am quite dismayed about all this. Finding out what caused the mail to not being delivered and fixing it took me 4 whole hours. God knows what else doesn't work correctly anymore.

I would like to know what gives Parallels the right to instruct my server to upgrade itself. It wasn't me, it wasn't the datacenter. There are no root access logs indicating anyone entering my system. So i guess it was an instruction that was sent from you guys, either in the plesk code, or otherwise to update the installation.

I eagerly await you explanation for this.
--end--

Anyone else had their system updated this way? I wrote the above text a few hours ago and i'm still working to clean up the mess this upgrade caused. Eventho its almost 5am here. I'm so seriously pissed off, it's not even funny.

 

[Yulia Kostina]

Hello Sir

I am tech support engineer.
First I would like to mention that Plesk does not upgrade by itself never, it can upgrade through
scheduled task, but this should be configured. Also I want to assure that nobody from parallels team
could not upgrade Plesk on the server without your permission.
You mentioned IP 87.117.255.64 - this IP is not from our company range, the server with such IP is not in Russia
(where Parallels support is located). As I see from whois report 87.117.255.64 is somewhere in UK.

 

[Sempiterna]

Thank you for responding. This makes me very worried, because i asked my server provider and they didn't do anything that caused this. I filed an abuse report at eukhost.com, the owner of the IP address that did the upgrade, and they told me that server was not comprimised.

I surveyed my server completely and nothing was found. In fact that whole IP cannot be found on my server, there are no backdoors and no virusses. I have a password that would be extremely hard to bruteforce (over 20 characters), my plesk pasword is equally strong.

The plesk logfile is the only place where i can find anything regarding this upgrade. The first two lines are:

87.117.255.64 [2009-04-01 09:40:27] 'Plesk component upgrade' ('Plesk component name': 'psa' => 'psa')
87.117.255.64 [2009-04-01 09:40:27] 'Plesk component upgrade' ('Plesk component name': 'psa-api-rpc' => 'psa-api-rpc')

Usually when an admin logs in at the controlpanel (i'm the only one with access), an entry is added to the list that someone logged on. This was not the case here. The above two entries are the start of the upgrade, and there was no login message at all.

So this is worrying... how can someone start an upgrade without being on the server and without logging in at plesk??

The only thing i can think of now that there is a backdoor in plesk itself that allows circumventing the usual login methods, and i think that this needs to be investigated by parallels. I will allow parallels access to the server if they need it.

 

[Yulia Kostina]

Generally it is possible to upgrade Plesk from command line interface using /usr/local/psa/admin/sbin/autoinstaller utility which has
command line options, but in any case it should be executed from "root" user, so if any backdoor - it should be concerning root
access to the server rather than login to Plesk CP.
/usr/local/psa/admin/sbin/autoinstaller cannot be launched remotely to upgrade Plesk (it does not have any possibility to pass username/password and IP), but there is a tool and option to install Plesk on numerous servers:
http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.0-unix-installation-guide/18522.htm
I guess it can be used for upgrade as well.
But, in any case the person who start it must have root access to the server.

 

[Sempiterna]

But how is this possible if there has been no access to root logged on this server other than from myself? All the logs are clean. I am the only one with root access to this server and i was in bed while this happened (and no root access logged at that time).

I also don't have a password that can be easily guessed (over 20 random characters) and my ssh port is not the default one. So it seems root was not the issue here.

But if it was done from the commandline, then why is the IP that was logged at Plesk (87.117.255.64) not localhost and from a completely different provider? If executed from the commandline, the ip in plesk should be either localhost or my server IP.

 

[sosbilisim]

Hello;

My Plesk server cannot update itself. My plesk version is psa v8.6.0_build86080930.03 os_CentOS 5 (x64) but i cant see update list in build080710.09 (update-5).

I get the plesk's website parallels_installer_v3.3.2_build080710.09_os_CentOS_5_x86_64 and run but it said allready installed.

How can I resolve this update problem ?

Thanx
Muharrem