• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk Install - possible rootkit detected

B

bskrakes

Basic Pleskian
Hi there, so this really frustrates me... I am running VMware Workstation 7.x (latest update) with a fresh install of Cent OS 5.4 32-bit, VMware Tools installed and snap shots taken. I just completed the install of Plesk 9.5.2 and rebooted. After rebooting I went into the CP changed my settings and ran the watchdog sercurity check which I believe to be rkhunter... now it has detected a few potential files and rather than saying "ok" they say "warning."

I am not a security specialist and realize that some files may cause false positives but it would be nice to know if someone can confirm this. My machine is behind a firewall and has only been connected to download Plesk along with this post... how can I be infected already?

Err, come on Parallels!!!
 
Which files does rkhunter report as being affected? Do you have a "plesk-root" user on the system? Plesk is vulnerable until you change the default password, and someone out there is scanning common DC IP ranges. I've seen this myself.
 
Hi Hultenius,

No user called "plesk-root." just "root" and "psaadm."

I had both SHV4 and SHV5 rootkits showing as "warnings" in the Plesk watchdog rkhunter scan. I have since formated my server and re-installed Plesk and preformed a restore from a backup. Lucky for me the backup seems to be fine, once restored I ran another scan and no traces of any rootkits were found.

However what I do find funny is that on a clean install of Plesk the scan actually shows a few files with warnings, is this a false positive?

Thanks.
 
Once again - warning is not real alert. It is just warning about possible problem.
 
This is most certainly not a false-positive. Your server was infected, I remember those names (SHV4 & SHV5). I'm surprised you didn't have a "plesk-root" user/alias in your /etc/passwd files.

Good practice by formatting the drive! A server that has been infected can never be trusted.

More information and some good tips on how you can install Plesk in a safe way can be found here:
http://www.atomicorp.com/forums/viewtopic.php?f=3&t=4271
 
Hey Hultenius,

I meant the false positives on a fresh Plesk install... so once you have installed the Server OS you then install Plesk 9.5.X. Before you install your license key try a scan, you should see some warnings with are potential threats. I think it is strange that the scan would return warnings a fresh install.

Yes I always format when a computer (SERVER/PC/MAC) has been infected.

Cheers,
 
You must log in or register to reply here.
Back
Top