• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk hacked websites hacked / proftpd ?

ProFTPD 1.3.3 and prior are prone to a vulnerability
Click to expand...
On Plesk 11 for Debian, for example:

# cat /usr/local/psa/version
11.0.9 Debian 6.0 110120615.10

# dpkg -l | grep proftpd
ii psa-proftpd 1.3.4a-debian6.0.build110120606.18 ProFTPD -- Professional FTP Server.
 
On one of my plesk server I'm running psa-proftpd-1.3.4a-1.el5.art (atomic install).

How can I upgrade proftpd on all my plesk servers if I'm runing plesk 8 to 10 ?

Thanks
 
As Igor mentioned, the version of psa-proftpd that you are using (1.3.4a) is not vulnerable to the issues described in the page you linked to. The very latest problem mentioned on that page is for 1.3.3.

Although there is an 1.3.4b version of ProFTPd (the base package, not the Plesk-customised one), it does not incorporate any security fixes as far as I can see- only bugfixes.

There is also a 1.3.5RC1 but this is a big change and does not incorporate any security fixes that I know of. It was released on the 2nd of Januaty 2013.

This is not to say there are not any security issues fixes in them at all -- it is just that they aren't mentioned in the release notes.

See https://forums.proftpd.org/smf/index.php/board,7.0.html

So I think we need to look at why do you think proftpd was the source of the hack? There could be many other reasons. If you could possible explain in a bit more detail, we may be able to get closer to understanding what's going on.
 
Faris Raouf said:
As Igor mentioned, the version of psa-proftpd that you are using (1.3.4a) is not vulnerable to the issues described in the page you linked to. The very latest problem mentioned on that page is for 1.3.3.

Although there is an 1.3.4b version of ProFTPd (the base package, not the Plesk-customised one), it does not incorporate any security fixes as far as I can see- only bugfixes.

There is also a 1.3.5RC1 but this is a big change and does not incorporate any security fixes that I know of. It was released on the 2nd of Januaty 2013.

This is not to say there are not any security issues fixes in them at all -- it is just that they aren't mentioned in the release notes.

See https://forums.proftpd.org/smf/index.php/board,7.0.html

So I think we need to look at why do you think proftpd was the source of the hack? There could be many other reasons. If you could possible explain in a bit more detail, we may be able to get closer to understanding what's going on.
Click to expand...

Hello Faris,

Almost all servers are running proftpd 1.3.3... except one has also been hacked. I thought it was the proftpd because of the security alert I found. But there's maybe another hack in plesk or one of its components ?

What should I do ? Apply micro updates on all servers ?

Thanks
 
There was a significant vulnerability in Plesk that was discovered last year.

If you were not keeping your panel up to date, it is possible that this is what was used to gain access to it.

Take a look here:

http://kb.parallels.com/en/113457

http://kb.parallels.com/en/113448

http://kb.parallels.com/en/114396

*IF* (and I stress *IF*) this is the cause of your problem then you'll need to do a minimum of two things: Update to the latest MU and use the password reset scripts that you'll find linked to in the info in the KBs. Read through all the info carefully and decide the best course of action.
 
Also note that keeping your system updated via MUs will also make sure the latest Plesk-supplied psa-proftpd that's available for your version of Plesk will also be installed. I'm not saying it WASN'T proftpd that was the problem -- it is just that if the same thing happened on the 1.3.4a one then you don't have a common denominator and it is unlikely to be the cause.
 
Oh, wait. Are you saying that the only one that WASN'T hacked was running 1.3.4a? If so then...Hmmm...

Anyway, apply those MUs and get the latest everything! That's definitely a first step.
 
Hello,

I had the confirmation that the hacker modified pages with the FTP.
Seems that he gained access on several server, so does parallels propose an upgrade for this package ?

psa-proftpd-1.3.2e-cos5.build95101209.05

What can I do ? resetting password may be unuseful because it won't explain how he got it before...

This is very critical...
 
Well...don't jump to conclusions.

If you did not secure your system by installing the MUs and your system was vulnerable then the bad guys will have been able to obtain all the usernames and passwords for all accounts.

If all your sites have been hacked, this is the most likely cause rather than a relatively obscure issue in proftpd.

If it was just one site, then most likely the customer has password-sniffing malware on their computer, or such malware was installed on a computer they used to login at some point (or used an insecure wifi access point or something).

Once again please note that I'm not saying it definitiely isn't this proftpd vulnerability that was the cause of the hack. It is just that I've never heard of anybody at all being compromised by this, but there are plenty of people I know of who were unfortunate enough to be affected by the vulnerability I mentioned.

Regarding upgrading to the latest psa-proftp, you do this through the Plesk updater (updated and upgrades link in the Tools menu) within your panel, which will pull down the latest version if need be. There has never been a need to manually install proftpd updates unless you need want to use components from a different repo (e.g. the atomic ones).

So, if you need a version like 1.3.4, install the atomic repo and get it from there. But keep in mind that the repo also includes updated php and mysql and other components you may not want. So you could just install what you want then disable the repo. HOWEVER, you will find that every time you install an MU, the latest Parallels-provided psa-proftpd files will be re-installed.
 
Hello Faris,

Yes you're right, FTP is finally maybe not the key ;) a colleague used it to correct pages.
I did run MU on all my servers but the hack occurred again today.

Any recommendation ?

Thank you for your help
 
Unless you change *all* the passwords using the password-changing script, and remove any nasty stuff that has been put on the websites (as well as the password changing script, the KBs I pointed to also have a bad stuff removing script but only for the type used widely at the time of the original vulnerability), it will keep getting hacked.

It is also possible that other bad stuff has been installed and needs to be found and removed, or that the compromise is something different to that mentioned in the KB (for example, via an OS application that has not been updated) or ...well...it could be lots of things unfortunately :-( I know I'm not being much help. But changing all the passwords is absolutely necessary, then scanning the entire system for nasrty things.

Use rkhunter for rootkits and clamav for a general system scan for malware.
 
IgorG said:
On Plesk 11 for Debian, for example:

# cat /usr/local/psa/version
11.0.9 Debian 6.0 110120615.10

# dpkg -l | grep proftpd
ii psa-proftpd 1.3.4a-debian6.0.build110120606.18 ProFTPD -- Professional FTP Server.
Click to expand...

So are you saying that proftpd 1.3.3e that is still installed and distributed by Plesk 10.4.4 is vulnerable?
 
To my *untrained* eye, and if I'm following the correct links from the page the OP posted, the out of the box 1.3.3 has a bug in it that could cause some trouble, but ONLY if the attacker has local (e.g. ssh) access to the filesystem in question as well as ftp access to the same files, AND even then only under certain conditions. I have not read the entire thread discussing the issue, however.

Incidentally, CVE-2012-6095 implies that it is all versions below 1.3.5rc1 but is also marked "under review".

At this stage I do not see anything to worry about. Otherwise I have no doubt there would have been a lot of noise about this both here and on other forums I visit.

I'm sure the parallels devs have their eye on this.
 
You must log in or register to reply here.

Similar threads

E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
3K
MartinT
M
V
Issue Smarthost + SRS = relay?
Replies
2
Views
884
vanlier
V
cmandoyle
Issue Properly Connecting a WordPress Website
Replies
1
Views
117
Martin Dias
Martin Dias
I
Question Plesk Migrator - roundcube address book and identities not transferred
Replies
2
Views
166
ipapachristoudis
I
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
1
Views
242
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top