1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk hacked websites hacked / proftpd ?

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by AlbertCa, Jan 24, 2013.

  1. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,568
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    On Plesk 11 for Debian, for example:

    # cat /usr/local/psa/version
    11.0.9 Debian 6.0 110120615.10

    # dpkg -l | grep proftpd
    ii psa-proftpd 1.3.4a-debian6.0.build110120606.18 ProFTPD -- Professional FTP Server.
     
  3. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0
    On one of my plesk server I'm running psa-proftpd-1.3.4a-1.el5.art (atomic install).

    How can I upgrade proftpd on all my plesk servers if I'm runing plesk 8 to 10 ?

    Thanks
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,568
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
  5. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0


    psa-proftpd-1.3.4a-1.el5.art was hacked too I meant...
     
  6. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,568
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
  7. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0
  8. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    As Igor mentioned, the version of psa-proftpd that you are using (1.3.4a) is not vulnerable to the issues described in the page you linked to. The very latest problem mentioned on that page is for 1.3.3.

    Although there is an 1.3.4b version of ProFTPd (the base package, not the Plesk-customised one), it does not incorporate any security fixes as far as I can see- only bugfixes.

    There is also a 1.3.5RC1 but this is a big change and does not incorporate any security fixes that I know of. It was released on the 2nd of Januaty 2013.

    This is not to say there are not any security issues fixes in them at all -- it is just that they aren't mentioned in the release notes.

    See https://forums.proftpd.org/smf/index.php/board,7.0.html

    So I think we need to look at why do you think proftpd was the source of the hack? There could be many other reasons. If you could possible explain in a bit more detail, we may be able to get closer to understanding what's going on.
     
  9. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0
    Hello Faris,

    Almost all servers are running proftpd 1.3.3... except one has also been hacked. I thought it was the proftpd because of the security alert I found. But there's maybe another hack in plesk or one of its components ?

    What should I do ? Apply micro updates on all servers ?

    Thanks
     
  10. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    There was a significant vulnerability in Plesk that was discovered last year.

    If you were not keeping your panel up to date, it is possible that this is what was used to gain access to it.

    Take a look here:

    http://kb.parallels.com/en/113457

    http://kb.parallels.com/en/113448

    http://kb.parallels.com/en/114396

    *IF* (and I stress *IF*) this is the cause of your problem then you'll need to do a minimum of two things: Update to the latest MU and use the password reset scripts that you'll find linked to in the info in the KBs. Read through all the info carefully and decide the best course of action.
     
  11. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Also note that keeping your system updated via MUs will also make sure the latest Plesk-supplied psa-proftpd that's available for your version of Plesk will also be installed. I'm not saying it WASN'T proftpd that was the problem -- it is just that if the same thing happened on the 1.3.4a one then you don't have a common denominator and it is unlikely to be the cause.
     
  12. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Oh, wait. Are you saying that the only one that WASN'T hacked was running 1.3.4a? If so then...Hmmm...

    Anyway, apply those MUs and get the latest everything! That's definitely a first step.
     
  13. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
  14. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0
    Hello,

    I had the confirmation that the hacker modified pages with the FTP.
    Seems that he gained access on several server, so does parallels propose an upgrade for this package ?

    psa-proftpd-1.3.2e-cos5.build95101209.05

    What can I do ? resetting password may be unuseful because it won't explain how he got it before...

    This is very critical...
     
  15. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Well...don't jump to conclusions.

    If you did not secure your system by installing the MUs and your system was vulnerable then the bad guys will have been able to obtain all the usernames and passwords for all accounts.

    If all your sites have been hacked, this is the most likely cause rather than a relatively obscure issue in proftpd.

    If it was just one site, then most likely the customer has password-sniffing malware on their computer, or such malware was installed on a computer they used to login at some point (or used an insecure wifi access point or something).

    Once again please note that I'm not saying it definitiely isn't this proftpd vulnerability that was the cause of the hack. It is just that I've never heard of anybody at all being compromised by this, but there are plenty of people I know of who were unfortunate enough to be affected by the vulnerability I mentioned.

    Regarding upgrading to the latest psa-proftp, you do this through the Plesk updater (updated and upgrades link in the Tools menu) within your panel, which will pull down the latest version if need be. There has never been a need to manually install proftpd updates unless you need want to use components from a different repo (e.g. the atomic ones).

    So, if you need a version like 1.3.4, install the atomic repo and get it from there. But keep in mind that the repo also includes updated php and mysql and other components you may not want. So you could just install what you want then disable the repo. HOWEVER, you will find that every time you install an MU, the latest Parallels-provided psa-proftpd files will be re-installed.
     
  16. AlbertCa

    AlbertCa New Pleskian

    10
    35%
    Joined:
    Jan 24, 2013
    Messages:
    7
    Likes Received:
    0
    Hello Faris,

    Yes you're right, FTP is finally maybe not the key ;) a colleague used it to correct pages.
    I did run MU on all my servers but the hack occurred again today.

    Any recommendation ?

    Thank you for your help
     
  17. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    Unless you change *all* the passwords using the password-changing script, and remove any nasty stuff that has been put on the websites (as well as the password changing script, the KBs I pointed to also have a bad stuff removing script but only for the type used widely at the time of the original vulnerability), it will keep getting hacked.

    It is also possible that other bad stuff has been installed and needs to be found and removed, or that the compromise is something different to that mentioned in the KB (for example, via an OS application that has not been updated) or ...well...it could be lots of things unfortunately :-( I know I'm not being much help. But changing all the passwords is absolutely necessary, then scanning the entire system for nasrty things.

    Use rkhunter for rootkits and clamav for a general system scan for malware.
     
  18. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    30
    68%
    Joined:
    Oct 8, 2009
    Messages:
    465
    Likes Received:
    8
    So are you saying that proftpd 1.3.3e that is still installed and distributed by Plesk 10.4.4 is vulnerable?
     
  19. Faris Raouf

    Faris Raouf Silver Pleskian Plesk Guru

    31
    30%
    Joined:
    Mar 15, 2009
    Messages:
    667
    Likes Received:
    17
    To my *untrained* eye, and if I'm following the correct links from the page the OP posted, the out of the box 1.3.3 has a bug in it that could cause some trouble, but ONLY if the attacker has local (e.g. ssh) access to the filesystem in question as well as ftp access to the same files, AND even then only under certain conditions. I have not read the entire thread discussing the issue, however.

    Incidentally, CVE-2012-6095 implies that it is all versions below 1.3.5rc1 but is also marked "under review".

    At this stage I do not see anything to worry about. Otherwise I have no doubt there would have been a lot of noise about this both here and on other forums I visit.

    I'm sure the parallels devs have their eye on this.
     
Loading...