plesk login page problem

[jimt@]

Originally posted by smerkel
Greetings:

We are having good luck cleaning things up, and I thought it may be useful to some of you out there if I went ahead and posted our complete process. Your mileage may vary as there may be a couple variants out there (based on the slight differences in files that I’m seeing people post.)

Additionally, those that asked for a link where SWSoft posted the MailEnable issue should refer to here: http://forums.swsoft.com/showthread.php?s=&threadid=40792

1. Boot Windows CD and enter Recovery Console.
2. Ensured rdriv service was present and start was set to Manual
3. ran disable rdriv, and verified that the service was set to disabled.
4. Renamed (or deleted) the following files:

* c:\windows\system32\a.exe
* c:\windows\system32\bot.exe
* c:\windows\system32\bw.exe
* c:\windows\system32\gethashes.exe
* c:\windows\system32\getsyskey.exe
* c:\windows\system32\nc.exe
* c:\windows\system32\rdriv.sys
* c:\windows\system32\start.bat

I would recommend looking at all executables in windows\system32, windows\system, and windows\. I would consider any file with an identical timestamp as rdriv.sys as suspect.

5. Rebooted server into Windows (minus a network connection)
6. Within Registry Editor, removed all references to rdriv.sys, and start.bat. There were several keys referencing the rdriv.sys file. The only reference to start.bat that we came across was in a couple of MUICache folders. We did not come across any references to any of the other files listed above.
7. We patched MailEnable with the latest hotfix at http://www.mailenable.com/hotfix/. (Copy this to a CD, or download it from a network segment that does not allow inbound TCP 110 connections.)
8. Rebooted the server several times to ensure re-infection did not occur. (Note: If you do not delete start.bat, you will likely be re-infected.)
9. Ran the local security policy editor, and looked at the "Access this computer from the network". I added the psacln group to the policy, however, I'm not sure this is required - other PSA winboxes we have do not have this group applied to the policy. They all do have the IUSR and IWAM objects applied, so I ensured these were present as well. (I'll check the psacln requirement on the next cleanup I do and report back.)
10. I ran the Plesk Reconfigurator -> Repair Plesk Installation -> Check Plesk Server Accounts and Plesk Virtual Hosts Security.

Most of this will be applicable to PSA 8.1 and PSA 7.6. The only part I cannot confirm for now is the process of repairing all of the permissions so sites do not prompt for credentials. I will report on that when I clean a 7.6 box shortly.

Good hunting.

Regards,

Steve

The only thing I would add to the above is the removal of the "MailEnable SMTP Relay Service".

Jim
Bocacom

 

[mattd2173]

Anyone else wonder where Plesk Support is during all of this?

 

[smerkel]

Greetings:

A few amendments:

While booted into the recovery console, make sure you disable the following service: MailEnable SMTP Relay Service.
and be sure to remove the c:\windows\mesmtpsvc.exe file and clean the registry of any entries referencing that file. (Sorry I didn't have that before. The fun of cleaning machines and trying to document things at the same time.)

Additionally, I would recommend that all passwords on the box be changed. Gethashes.exe is used to dump password hashes.

Lastly, on a couple of machines, not all, I've had to remove c:\windows\config\config.exe. However, in these cases, it does generate an error with winlogon.exe when you log in.

Regards,

Steve

 

[SteveDude]

Plesk Support

Heard through the grapevine, they have been in touch with some of the big boys.

 

[supra2800@]

I've given up. My webhost support team was unable to boot the server in safe mode, so they just put in another harddrive, installing windows etc from scratch.

win2003 is up and running now - just needs plesk etc.

support team claims that all the data from my old HD can just be moved, along with settings etc., so should be exactly as before.

 

[ilopezc]

This is going to prove very difficult for webhosts who their servers are located remotely from them.

I guess the best course of action for them if they cant get it fixed soon, is to start backing while RDP is still working.

We started getting some errors about not being able to open any new buffers, see this:

C:\Documents and Settings\Administrator>telnet [url]www.google.com[/url] 80
Connecting To [url]www.google.com...Could[/url] not open connection to the host, on port 80
: Connect failed

C:\Documents and Settings\Administrator>

C:\Documents and Settings\Administrator>ftp <FTPHOST>
> ftp: bind :No buffer space is supported
ftp>

 

[mr360]

i am curious how the migration of your existing vhost, mysql, mailenable, plesk data goes into the fresh setup.

 

[supra2800@]

Originally posted by mr360
i am curious how the migration of your existing vhost, mysql, mailenable, plesk data goes into the fresh setup.

Times 42 and you'll know how curious I am

I fear the worst...

But at least I have a plesk backup file from about 2 hours before the attack came, about 24 hours ago now. Though it means that all data changes to the MySQL data for the past 24 hours, will be gone

Does anybody know what directory the MySQL data is located in, so I can just copy and paste maybe?

 

[mwhitman@]

Following Steve and Jim's instructions, my sites are now live.

Just one newbie question... are there going to be any problems with leaving the MailEnable SMTP Relay Service disabled?

 

[supra2800@]

Finally a thread has been created at the MailEnable forum... this guy seems to have the same symptons as the rest of us:
http://forum.mailenable.com/viewtopic.php?t=13459

Originally posted by mwhitman

Just one newbie question... are there going to be any problems with leaving the MailEnable SMTP Relay Service disabled?

If I were you, I would make sure that its mesmtpsvc.exe file from /windows/ folder is deleted completely, just to be safe.

 

[ilopezc]

If im correct its in :

C:\Program Files\SWsoft\Plesk\Databases\MySQL

If windows mySQL works the same as unix mysql you should be able to drop in the same DB data in an installation, with the right perms.

However, the root password will be the same as the old installation.

 

[supra2800@]

ilopezc, thank you.
I will give it a shot later on, when it's ready for migration.

 

[smerkel]

Just one newbie question... are there going to be any problems with leaving the MailEnable SMTP Relay Service disabled?

Since I'm a nerd, and have a thing about keeping things tidy, I would recommend you go ahead and remove the registry entries that relate to that file. After a reboot, this will remove the service from Services. (It's also a good idea to backup the registry before whacking at things - call me overly careful.)

Regards,

Steve

 

[smerkel]

Things are going well with regards to the procedure I have posted above.

One one machine, we were still being prompted for credentials by IIS while trying to log into the Control Panel itself. The following command can be run from the plesk\admin\bin directory to resolve that issue:

websrvmng --update-anon-passwords-all

If anything else crops up, I'll post yet again.

Good luck,

Steve

 

[madguy24]

Originally posted by mwhitman
Following Steve and Jim's instructions, my sites are now live.

Just one newbie question... are there going to be any problems with leaving the MailEnable SMTP Relay Service disabled?

There is no such service. All mail enable service or binaries starts from the folder you installed ME/Plesk.

 

[ilopezc]

Well we just brought our server (just one) back from the dead.

All remotely too.

I didnt find the hacked files, but we were having the same behavior with the "Allow login via network" in the local policy.

First time it didnt fix, second time the group was gone again. So we reapplied the fix, ran the re-configurator, and the update anon passwords option for admin binary.

Sites working, but good thing we dont use MailEnable other than localhost mail relay. (Contact us forms n' such)

 

[mwhitman@]

OK. I think the reason that "MailEnable SMTP Relay Service" was still being listed in my services was that I hadn't completely removed it from the registry, I had only deleted it on the hard drive. I removed all the registry entries and now it's completely gone and doesn't appear in the Services list anymore.

Now I just need to follow the fix you posted for the control panel as I still can't login to Plesk except through Remote Desktop...

 

[mwhitman@]

Originally posted by smerkel
Things are going well with regards to the procedure I have posted above.

One one machine, we were still being prompted for credentials by IIS while trying to log into the Control Panel itself. The following command can be run from the plesk\admin\bin directory to resolve that issue:

websrvmng --update-anon-passwords-all

If anything else crops up, I'll post yet again.

Good luck,

Steve

Still can't login after doing this and restarting services. All other sites are working fine now. Any ideas?

 

[SteveDude]

Back up and running - How About A Bounty

I'm back up and kicking along with an updated mailenable.

Maybe we should put a bounty out on the chump that wasted our whole day and cost people who knows how much money. Supposed to be going on Vaction next week and I'm a day behind.

 

[TarkanVeKurdu]

mwhitman , also add psaadm user to the local group policy then iisreset