1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk Install - possible rootkit detected

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by bskrakes, Aug 25, 2010.

  1. bskrakes

    bskrakes Basic Pleskian

    24
    23%
    Joined:
    May 18, 2007
    Messages:
    92
    Likes Received:
    0
    Hi there, so this really frustrates me... I am running VMware Workstation 7.x (latest update) with a fresh install of Cent OS 5.4 32-bit, VMware Tools installed and snap shots taken. I just completed the install of Plesk 9.5.2 and rebooted. After rebooting I went into the CP changed my settings and ran the watchdog sercurity check which I believe to be rkhunter... now it has detected a few potential files and rather than saying "ok" they say "warning."

    I am not a security specialist and realize that some files may cause false positives but it would be nice to know if someone can confirm this. My machine is behind a firewall and has only been connected to download Plesk along with this post... how can I be infected already?

    Err, come on Parallels!!!
     
  2. Hultenius

    Hultenius Guest

    0
     
    Which files does rkhunter report as being affected? Do you have a "plesk-root" user on the system? Plesk is vulnerable until you change the default password, and someone out there is scanning common DC IP ranges. I've seen this myself.
     
  3. bskrakes

    bskrakes Basic Pleskian

    24
    23%
    Joined:
    May 18, 2007
    Messages:
    92
    Likes Received:
    0
    Hi Hultenius,

    No user called "plesk-root." just "root" and "psaadm."

    I had both SHV4 and SHV5 rootkits showing as "warnings" in the Plesk watchdog rkhunter scan. I have since formated my server and re-installed Plesk and preformed a restore from a backup. Lucky for me the backup seems to be fine, once restored I ran another scan and no traces of any rootkits were found.

    However what I do find funny is that on a clean install of Plesk the scan actually shows a few files with warnings, is this a false positive?

    Thanks.
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,547
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
    Once again - warning is not real alert. It is just warning about possible problem.
     
  5. Hultenius

    Hultenius Guest

    0
     
    This is most certainly not a false-positive. Your server was infected, I remember those names (SHV4 & SHV5). I'm surprised you didn't have a "plesk-root" user/alias in your /etc/passwd files.

    Good practice by formatting the drive! A server that has been infected can never be trusted.

    More information and some good tips on how you can install Plesk in a safe way can be found here:
    http://www.atomicorp.com/forums/viewtopic.php?f=3&t=4271
     
  6. bskrakes

    bskrakes Basic Pleskian

    24
    23%
    Joined:
    May 18, 2007
    Messages:
    92
    Likes Received:
    0
    Hey Hultenius,

    I meant the false positives on a fresh Plesk install... so once you have installed the Server OS you then install Plesk 9.5.X. Before you install your license key try a scan, you should see some warnings with are potential threats. I think it is strange that the scan would return warnings a fresh install.

    Yes I always format when a computer (SERVER/PC/MAC) has been infected.

    Cheers,
     
Loading...