• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Plesk Install - possible rootkit detected

B

bskrakes

Basic Pleskian
Hi there, so this really frustrates me... I am running VMware Workstation 7.x (latest update) with a fresh install of Cent OS 5.4 32-bit, VMware Tools installed and snap shots taken. I just completed the install of Plesk 9.5.2 and rebooted. After rebooting I went into the CP changed my settings and ran the watchdog sercurity check which I believe to be rkhunter... now it has detected a few potential files and rather than saying "ok" they say "warning."

I am not a security specialist and realize that some files may cause false positives but it would be nice to know if someone can confirm this. My machine is behind a firewall and has only been connected to download Plesk along with this post... how can I be infected already?

Err, come on Parallels!!!
 
Which files does rkhunter report as being affected? Do you have a "plesk-root" user on the system? Plesk is vulnerable until you change the default password, and someone out there is scanning common DC IP ranges. I've seen this myself.
 
Hi Hultenius,

No user called "plesk-root." just "root" and "psaadm."

I had both SHV4 and SHV5 rootkits showing as "warnings" in the Plesk watchdog rkhunter scan. I have since formated my server and re-installed Plesk and preformed a restore from a backup. Lucky for me the backup seems to be fine, once restored I ran another scan and no traces of any rootkits were found.

However what I do find funny is that on a clean install of Plesk the scan actually shows a few files with warnings, is this a false positive?

Thanks.
 
Once again - warning is not real alert. It is just warning about possible problem.
 
This is most certainly not a false-positive. Your server was infected, I remember those names (SHV4 & SHV5). I'm surprised you didn't have a "plesk-root" user/alias in your /etc/passwd files.

Good practice by formatting the drive! A server that has been infected can never be trusted.

More information and some good tips on how you can install Plesk in a safe way can be found here:
http://www.atomicorp.com/forums/viewtopic.php?f=3&t=4271
 
Hey Hultenius,

I meant the false positives on a fresh Plesk install... so once you have installed the Server OS you then install Plesk 9.5.X. Before you install your license key try a scan, you should see some warnings with are potential threats. I think it is strange that the scan would return warnings a fresh install.

Yes I always format when a computer (SERVER/PC/MAC) has been infected.

Cheers,
 
You must log in or register to reply here.
Back
Top