• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

plesk login page problem

I dont have script1.txt file. I have a feeling that there is one exploit but different intrusion tecniques from different people. Could it be related to the last 2 hotfixes on mailenable posted by swsoft and mailenable ?? :

http://www.mailenable.com/hotfix/default.asp

Was your mailenable server patched guys ?

Regards
 
No mailenable hotfixes for me. I believe its version 1.96 im running, but no hotfixes. Does anybody know what happened to our servers, since mine is not the only one crashed, like 18 hours ago?
 
Looks like a worm for me. But how they were able to infect, or what was the vulerability, that is something Plesk guys have to answer.

We can for the least hope they are aware and working on it, though there is no update in this thread from a staff.
 
There is no swsoft guy willing to help us here so we are trying to put the symptoms to try to know what the hell has happened to us :D

I still couldnt find what happened.

I have 4 servers an about 600 domains down for 12-15 hours. Customers are beggining to eat me.

SWSOFT HEAR US!!! :) We are doomed.
Regards,
 
I cant remove it .Its been used by a process . I am backing up my domains to make a restore to a clean server . After I finish the backup process I will stop the vps and only mount it to delete it.
 
write Im also facing this problem from 12 hrs ago

write Im also facing this problem from 12 hrs ago and 400 domains on two servers. SWsoft please come and help with some solution. its very important at this time for you to hear and come with some solution.
 
I'm having the same problem as everyone here, except with plesk 8.1. Here's what I got from support:

Hello,

We have a number of customers with the same problem.
Our engineers determined that this problem is the result of a virus attack on the server. For now you should check the server for the viruses. We're working on the problem to fix it forever, but for now you can apply the following
workaround:
Please open the "Administrative Tools"->"Local Security Policy"->"User rights assignment"
management panel and check the "Allow to access this computer from network"
parameter. This field contains no users and therefore all the anonymous internet users cannot login, however, there should be at least the "psacln"
group: http://kb.swsoft.com/article_156_976_en.html .

So please check Windows installation for the integrity with this command:

C:> sfc /scannow

After that, you would need to run the "Plesk Reconfigurator"->"Repair Plesk Installation" tool, mark the "Plesk Server Accounts" and "Plesk Vhosts Security"
checkbox and perform repairing. This should get the sites back.
Click to expand...

This sounded like great news, but, I don't have a "psacln" user, and I can't run sfc remotely, you have to be at the computer.

Hope this helps someone out there.
 
psacln is a group. Click the Add button, then Option types. Check groups and it will show up in the list. We are seeing sites come back up.
 
matt your my hero for the day. It works perfect. Now my sites are working ok. I hope swsoft will release the permanent patch .

Thank you again to you and swsoft support and my disaster mates in this thread :)

Regards
 
Is it possible to do this fix remotely? I cant test right cause im at my mobile now. Unfortunately i dont have direct access to the server, except remotely.
 
I'm glad that fixed worked, but I can't seem to get it to work here. I've added the "plaacln" group to "Access this computer from the network" user rights, and I've run plesk reconfigure. I'm still having the same issue.

Was anything else done to get it to work? Was a reboot required?
 
Hello I am back again. I am setting the policy setting but somehow it deletes again and my sites blow away.

Problem continues
 
Hello All,

I just wanted to let everyone know that this is not a result of machine attacks as I see mentioned above in this thread.

We are a plesk reseller and I have been dealing with plesk machines all morning. At first, I thought that it was an outbreak, but after reinstalling a box with windows (with only RD allowed through the firewall), updating it, then installing a fresh version of plesk using a network install bundle (where the entire install package is downloaded to the box first), I ended up with an infected server. After some lengthy investigation, I can say that this problem is coming from infected plesk installs and updates.

Also, after rebooting an infected server a few times, it will just start bluescreening on rdriv.sys.

As of now I don't have a fix for a box in this state, and I am awaiting a fix from plesk support.

Jim
Bocacom Support
 
Originally posted by TarkanVeKurdu
I am setting the policy setting but somehow it deletes again and my sites blow away.

Problem continues [/B]
Click to expand...

Same here - it deletes the group that I'm setting for "allow network access" :(


Edit: When Im running the drweb "cureit.exe", I'm getting this "virus":
http://thuesen.biz/ss/ZZ4D613093.jpg
It's unable to be cured, I then get asked if I wanna move it, but I don't know if the file is used for something important?
 
We are up okay since during the initial rush we probably killed or stopped the process. Some of the thinsg we did on the fly

1. Disable all MailEnable services

2. Delete the batch file in the system32 directory which as recently created. The file contents have been described previously in this thread.

3. Delete a.exe in the system32 dir.
 
**** :( Im no longer able to connect using remote desktop!! I tried the solution posted earlier, didnt work, so I restarted server... mail is up and running, and also websites still asking for login, but cant login with remote desktop anymore.

Im pretty f*cked, as the server is based on the other side of the world!!
 
>> 3. Delete a.exe in the system32 dir.

FYI, a.exe does not exist in all infected systems. I have some servers with and some without, so this may or may not work for you.

Also, I have just been given some info that mailenable was attacked enmass last night. I don't have any details, but I am not sure how that would get into the plesk updates.

I will post more info as I get it.

Jim
Bocacom
 
I am also seeing that once the machines are rebooted a few times, they degrade into a state where they will bluescreen on rdriv.sys a couple minutes after a reboot.

I have found no fix for this. So far, once it is in this state, the server is down and only the datacenter can fix it (if they can get a fix from plesk).

As of now, some of the plesk boxes I have can only be accessed from the windows repair console. Safe mode does not work, the trojan seems to recognise it is coming up in safe mode and immediately reboots the server.

Jim
Bocacom
 
You must log in or register to reply here.

Similar threads

PeopleInside
Resolved Cannot load Plesk login page after try to enable HTTP 3
Replies
7
Views
233
AYamshanov
AYamshanov
A
Question login url
Replies
1
Views
766
webserverforum
W
P
Question Plesk login 8443 cannot be called up
Replies
8
Views
238
Kaspar@Plesk
Kaspar@Plesk
M
Resolved Login Page Issue
Replies
2
Views
1K
Minha001
M
LionKing
Resolved normal behavior? [Why is my domain redirected to the Plesk login page?]
Replies
4
Views
775
LionKing
LionKing
Back
Top