1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk box compromised?

Discussion in 'Plesk for Linux - 8.x and Older' started by Diaego, Jan 3, 2008.

  1. Diaego

    Diaego Guest

    0
     
    Afternoon all,

    I'm hoping someone might be able to help with this. We're running a fully up-to-date Plesk box (8.3.0), but I believe, somehow, it may have been compromised. I decided to run a rootkitch randomly, and have the following output:

    So obviously, this would appear the server has been compromised. However, I'm confused how this could happen on a server that has always been kept fully up-to-date (as in Updater is frequently run). Can anyone suggest a few ways I can attempt to discover how this has happened? I'm not a linux expert, hence it running Plesk, but I do know most of the basics on command line.

    Any help would be really appreicated.
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Id say the two primary vectors would be through either compromising an administrator account/personal desktop, or through an exploitable web application. Unfortunately once a system has been compromised to that level with a rootkit a considerable amount of forensic data is lost.
     
  3. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    The number one attack I see on a daily basis is attempting to remotely load files or inject php code into websites. Either of which can then be a tool used to grant a remote attacker root access and from there your box is pwnt.
     
  4. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    Why not use ASL from atomicturtle, this will install enough security tools and mostly the important one is mod_security, this will prevent in almost all cases PHP injections (even sometimes die when I use phpMyAdmin :) ).
     
  5. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Lol, thats exactly why I host phpmyadmin on a remote machine, have one centralized machine to host it for all machines to use and then set chmod -R 0000 to the one included with plesk :p
     
  6. Monarch1

    Monarch1 Guest

    0
     
    Anyone use, or have experience with, or have any comment on security monitoring services such as HackerSafe, etc,? Is it worth the $$$?
     
  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Those services are targeted at looking for vulnerabilities in services, like a vulnerable version of SSH and the like. Their ability to identify web based vulnerabilities (which is your threat) from automated scans is very limited. It doesn't hurt to do it though. Just be aware of the high rate of false positives.
     
  8. Monarch1

    Monarch1 Guest

    0
     
    Thanks AT. I am beginning to see logos for monitoring companies on a massive number of sites I visit, and was just wondering their value.
     
  9. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    A lot of that is due to the new PCI DSS requirements
     
  10. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Plus people are dumb and think that a little icon on a page means they are safe, so to appease those people everyone gets those types of things, when it doesnt necessarily mean they are "hacker safe", they just passed a couple of tests :)
     
  11. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Right, there are 12 controls in PCI DSS, the scan is only 1 of them.
     
Loading...