• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

plesk login page problem

Originally posted by smerkel
It was a partner email that was sent out. Additionally, several vulnerability databases sent notifications with regards to the Mail Enable issue.

http://secunia.com/advisories/23127/

Regards,

Steve
Click to expand...

It would really be nice if they sent that to all partners...

I have managed to get a severely infected box stable again. I can reboot it without problems and the OS at least is stable (with one exception).

Since the OS would not stay up for more than 2 minutes, I could only access it from the recovery console. Here's what I did.

I deleted the following files:

c:\windows\system32\bw.exe
c:\windows\system32\nc.exe
c:\windows\system32\pack.exe
c:\windows\system32\gethashes.exe
c:\windows\system32\saminside.ini
c:\windows\system32\psinfo.exe
c:\windows\system32\start.bat

2. I disabled all MailEnable services and the rdriv service.

3. I deleted all task files in the c:\windows\Tasks directory. I think the trojan had a task running a minute or so after a boot.

4. I then ran a windows setup to repair the OS files.

The server boots now and seems to be stable. I have one exception... after the boot, the winlogon exe crashes 4 or 5 times, but then starts working. If anyone has any ideas on this it would be appreciated.

I still have a bit of work to do....

Jim
Bocacom
 
jimt,

are you on 7.6.1 or 8.1 ?

I had support guys restart my server so I can connect remotely again. Am gonna start cleaning up those files and services now.

Anyone know if its a good idea to change mailenable from port 110 to 111 or something, just temporarily ?
 
This server is 7.6.1, but the version probably doesn't matter much as these are trojan files.

Jim
Bocacom
 
Im cleaning up on my server now, but am unable to delete rdriv.sys, even though I stopped all the services in the "plesk monitor".

If I can't delete it, then i'll try a restart and see if that helps.
 
I have been able to remove rdriv.sys from a recovery console.

I have found the winlogon issue I mentioned previously...

There is one more trojan service. In services it is called "DHCP Controller", and when it starts, it opens a couple dozen ports and starts listening. The file is in the c:\windows\system32\dhcp directory. I just deleted the entire directory. When I removed it and started back up, my winlogon.exe faults stopped happening on bootup. Note that I removed it in the recovery console.

Now I have to upgrade mailenable and it should be a clean system.

Jim
Bocacom
 
my firewall was tracking 6000 concurrent TCP connections from this box, all dport=110, and mostly on the same Class B, burning up 3mbit of bandwidth, a LOT of disk activity, a LOT of vscan activity (scanning the mail queue i presume), and every IIS site was broken due to the pcacln allow network log on problem.

I had another rootkit on there as well, it was probably something older, but all is well in the world on this server, i have 2 servers side by side 1 got the virus 1 didnt, and they are identically configured.
 
Originally posted by supra2800
If I can't delete it, then i'll try a restart and see if that helps.
Click to expand...

Be sure to thoroughly check for malicious files before rebooting. Most trojans I've come across reinstall themsleves on reboot if they have been removed.

In my case it was the clipsvr.exe file that was the key to removing infection. Once it was removed I started regaining control of things.

Good-luck!
 
Originally posted by ecohosting
Be sure to thoroughly check for malicious files before rebooting. Most trojans I've come across reinstall themsleves on reboot if they have been removed.

In my case it was the clipsvr.exe file that was the key to removing infection. Once it was removed I started regaining control of things.

Good-luck!
Click to expand...

I don't even have the clipsvr.exe file in my system. Search can't find it, and I can't find it in system32 either.


I'm unable to go into recovery mode, as the server is at a hosting company. I only have remote desktop access :(

Will I still be able to delete rdriv.sys ?
 
Us Unlocker to delete the files. http://ccollomb.free.fr/unlocker/ It will help in deleting the file. There is a service named "MailEnable SMTP Relay Service" you have remove it as well as delete the keys from registry entries. Looks like a polymorphic virus for me
 
I followed the instructions and the server is up but it is slow and very unstable.

I removed all the files and added my groups as says. I run the reconfigurer and it seems to be just fine other then be very slow to respond. I have tape back ups of all activity and I dont mind if I have to reinstall my 4 servers thats fine.

I just dont want to go through the hassle if it will be in vein though.

And having the mailenable disabled is not really a long term option as no email accounts work, and none of my site scripts send otu emails etc.

Hope there is a perminant fix soon.

I am thinking I should go back to unix.
Never had these issues or any other issues with Cpanel.


Roger Sallas
Bigserverhosting.com
Fcwebhosts.com
 
Originally posted by parisioa
change the local computers administrator password, and kick the person out using terminal sevices manager, before they do that to you.
Click to expand...

I think they just did it to me. I just installed that Unlocker program, and unlocked rdriv.sys, right clicked it to delete it, and it stopped responding. Now I cant connect with RDC again. Will have to have support team restart it again, the hard way.

But why change the local computes administrator password? thats a really long and weird password, can't be guessed. Nobody knows it.
 
if they are logged into the server as administrator, then they have the password. one of the ifles i saw was gethash so they probably got the password hashes and hacked those probably.

Originally posted by supra2800
I think they just did it to me. I just installed that Unlocker program, and unlocked rdriv.sys, right clicked it to delete it, and it stopped responding. Now I cant connect with RDC again. Will have to have support team restart it again, the hard way.

But why change the local computes administrator password? thats a really long and weird password, can't be guessed. Nobody knows it.
Click to expand...
 
It seems that each time I try to kill the MailEnable SMTP Relay Service using "Unlocker" program, the remote desktop program hangs a few seconds later, unable to reconnect.

BUT - after I restarted, MY WEBSITES WERE WORKING AGAIN !!

I just need to figure out how to delete MailEnable SMTP Relay Service and rdriv.sys also.

And next, find out why the windows firewall window is all greyed out, and the bullet is in "off", but I can't change it.
 
Greetings:

We are having good luck cleaning things up, and I thought it may be useful to some of you out there if I went ahead and posted our complete process. Your mileage may vary as there may be a couple variants out there (based on the slight differences in files that I’m seeing people post.)

Additionally, those that asked for a link where SWSoft posted the MailEnable issue should refer to here: http://forums.swsoft.com/showthread.php?s=&threadid=40792

1. Boot Windows CD and enter Recovery Console.
2. Ensured rdriv service was present and start was set to Manual
3. ran disable rdriv, and verified that the service was set to disabled.
4. Renamed (or deleted) the following files:

* c:\windows\system32\a.exe
* c:\windows\system32\bot.exe
* c:\windows\system32\bw.exe
* c:\windows\system32\gethashes.exe
* c:\windows\system32\getsyskey.exe
* c:\windows\system32\nc.exe
* c:\windows\system32\rdriv.sys
* c:\windows\system32\start.bat

I would recommend looking at all executables in windows\system32, windows\system, and windows\. I would consider any file with an identical timestamp as rdriv.sys as suspect.

5. Rebooted server into Windows (minus a network connection)
6. Within Registry Editor, removed all references to rdriv.sys, and start.bat. There were several keys referencing the rdriv.sys file. The only reference to start.bat that we came across was in a couple of MUICache folders. We did not come across any references to any of the other files listed above.
7. We patched MailEnable with the latest hotfix at http://www.mailenable.com/hotfix/. (Copy this to a CD, or download it from a network segment that does not allow inbound TCP 110 connections.)
8. Rebooted the server several times to ensure re-infection did not occur. (Note: If you do not delete start.bat, you will likely be re-infected.)
9. Ran the local security policy editor, and looked at the "Access this computer from the network". I added the psacln group to the policy, however, I'm not sure this is required - other PSA winboxes we have do not have this group applied to the policy. They all do have the IUSR and IWAM objects applied, so I ensured these were present as well. (I'll check the psacln requirement on the next cleanup I do and report back.)
10. I ran the Plesk Reconfigurator -> Repair Plesk Installation -> Check Plesk Server Accounts and Plesk Virtual Hosts Security.

Most of this will be applicable to PSA 8.1 and PSA 7.6. The only part I cannot confirm for now is the process of repairing all of the permissions so sites do not prompt for credentials. I will report on that when I clean a 7.6 box shortly.

Good hunting.

Regards,

Steve
 
smerkel,

Sounds good!

However, each time I logon with RDC, it only takes a few minutes before the server stops responding. WEbsites still work, but no connection to mysql databases and RDC is unable to reconnect. Have to get my webhost support team to restart it each time :(

So now I'm hoping they are able to boot in safe mode, in order to remove rdriv.sys and mesmtpsvc.exe, also any reg keys containing rdriv.sys and mesmtpsvc.exe - and I pray that it will worker afterwards!
 
Fixed?

I'm being told that if you have a fresh server that just updating Mailenable solves the problem and prevents the exploit from happening again, at least this one. Anyone heard the same?
 
Anyone have the all the accounts that should be listed in the Access this computer from the network in the Local Policies??

I have the following:

IUSR_blahblah
IWAM_blahblah
psaadm
psacln

Users still unable to login to the Plesk Admin screens. Website and website FTP access work fine.
 
You must log in or register to reply here.

Similar threads

PeopleInside
Resolved Cannot load Plesk login page after try to enable HTTP 3
Replies
9
Views
361
PeopleInside
PeopleInside
A
Question login url
Replies
1
Views
789
webserverforum
W
P
Question Plesk login 8443 cannot be called up
Replies
8
Views
300
Kaspar@Plesk
Kaspar@Plesk
M
Resolved Login Page Issue
Replies
2
Views
1K
Minha001
M
LionKing
Resolved normal behavior? [Why is my domain redirected to the Plesk login page?]
Replies
4
Views
809
LionKing
LionKing
Back
Top