Plesk server hacked multiple times!

[Markus@]

One of my Plesk servers was hacked again!

All sites where defaced, databases where dumped and sended to a russian server, the root system then got a deface of the shell!

This happended with Plesk 8 and also before with Plesk 7.5 AND BEFORE.

Even when using 3 virus scanners, 1 chrootkit, certain custom extended security by disabling functions in php and cgi they still found a workaround!!!!!!!!!!!!!!!!!!

We even could not succesfully did a restore because the Plesk backup is still full with bugs!!!!!!!!!!!!!!!

I want that Plesk do its job and add more security and create a succesfull backup/restore system!

I also don't understand why there is no repair function in Plesk for Linux?????? We had to write our own scripts to get everything back up.
Windows has its repair function, linux doesnt!

We had 5 days downtime and massive amount complaints!!

Plesk, please secure your system and finish back-up restore AND repair, like for example checking directory and file permissions,and users! 3 on 10 users do not have the right permissions!

 

[JLChafardet]

my most honest recomendation is to get the server restored and contract any server administrator that can secure your box, basically, the defacements could be done via http injection, probably your server has never been mod_security/mod_evassive "enabled".

those 2 modules for apache, are not infalible, but ensures your server to be "more secure".

there are other lots of stuff that could be done to a box to keep it secure.

Cheers.

 

[Markus@]

- The first time was with a phpBB forum injection, that only defaced only all html indexes. (Plesk6)

- Second time it happened again via a cgi script that was written in another cgi script with all permissions (Plesk 7)

- This time it is in Plesk 8 with an injection of http://rst.void.ru/download/r57shell.txt in MAMBO wich downloaded other codes and other codes to breaktrought the security. This code is dumping all databases and send them to a russian ip, defacing all index.htm, index.html, index.php, manipulating all config.php, install.php, breaking the root system, download all passwd files, sending them, ... (this is as far as i could trace) Server worked fine, took a backup while hacking was busy so that why i know all this. During the hacking, i could download, but Plesk was broken, ssh laughted me out when trying to use some commands...

More info on http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=17521

Mambo is vurnarable:

AVG 7.1 Anti-Virus
Copyright (c) GRISOFT,s.r.o. 2006
Program version 7.1.30 Engine: 386 database version 268.11.7/434
Command line: [-report /tmp/report.avg /backup/vhosts]
"/backup/vhosts/********/httpdocs/administrator/components/com_remository/elh" Virus identified Linux/RST.B


------------------------------------------------------------
Test start Thu Aug 31 14:13:09 2006

Elapsed time 2699 sec.
------------------------------------------------------------
Scanned files : 235121
Scanned sectors : 0
Infected files : 1
Infected sectors : 0
------------------------------------------------------------

So now i lost 5 days, disabled all(more) functions in php that this code uses and lost 5 days, all databases of 200 customers, had to rebuild mailboxes via Plesk script, a repair tool si only available in Plesk for windows, to repair file permissions and other stuff, i also had to work in a 10MB psa database for several days, ... ....

Why not use the psarestore right? 1 it gives 100s of errors, it messes up the database, create empty databases, does not work when having languagepacks installed! ++++++++++++++++++++++

and so on and on!!!!!!!!!!

i want a descend working psadump/restore/migration/repair file permissions, mailboxes, addusers, etc... because now, it is a pain in the ***, and i am going bankrupt, i could not make any profit, but none! every upgrade sucks because of package conflicts, every backup/restore is full with errors, ...............

come on, this is not correct.

i will go to the police on monday to file a complaint.
i have full details and traces from the start of the hack.

TIP: do not reboot during a hack, just backup for sure, and REINSTALL all and do the Plesk way hassle for days.

 

[Markus@]

Check on google for: hacked by mdx


When my server was hacked, i got a phonecall instantly and i sawx it going on! Google had only 135 results, now its more then 23.800 + the servers that are down because it messes up the root of linux AND windows. I know this because my friends server was also hacked by mdx.

All index defaced, all mysql dumped and sended, all passwords captured from passwd, group, mysql, etc...

I am targetting this hacked by mdx has now reached over 1.2 million sites, with a root destruction of 99%

 

[Markus@]

I also have problems on 3 servers with statistic crontab that is crashing the server, i see many other people with also daily or/and weekly crashes!

This is because the statistics crontab is having problems and let the server crash daily, and weekly here!

I also found another possible solution when i just was looking for more php/cgi security;

Submitted by eth00 on www.eth0.us Tue, 2005-04-19 11:18. Beginner information | General system administration | Security How-To's and Guides
A recent problem with RHEL and cPanel causes some servers to crash on a daily or every couple of days basis. The normal symptoms of this sort of crashing are having the server crashing at the same time every time that it crashes. If you are having these problems I would suggest that you go ahead and just disable the auditd for now since the system can run fine without it and it seems to be causing a lot of trouble for some people. The below has worked fine for me on hundreds of servers and should not cause any issues.

 

[detach8]

what exactly did this script exploit? was it a php issue or other system daemon vulnerability?

 

[Markus@]

/home/httpd/vhosts/site........... was injected via MAMBO repository php, downloaded other php and cgi scripts, executed php scripts local, and perl scripts in the /tmp

it defaced all sites by searching home and index files, nomatter the extension.

it installed a nice login message in ssh to block commands.

it dumped all mysql databases and sended them to a russian ip..
.....
.............

 

[Markus@]

it is not a php issue, it is a plesk issue!!!!!!!!!!

PLESK DOES NOT INSTALL THE NEEDED SECURITY!!!!!!!!!!

php need to run safer and with less functions + plesk need to noexec the /tmp dirs because it never was done.

it also need to check file and directory permissions of all users, and it also need to check the permissions in passwd because it doesnt do it right now!

ALL PLESK INSTALL IS UNSAFE, i can asure you!

Linux and windows plesk installations are not safe done!
There are dozens of lacks in the plesk security setup, check out plesk forum for hacked!

 

[vaoffroader]

As was recommended before, you need to hire a server admin to secure your box. Securing a server is the responsibility of the server owner and not Plesk or any control panel for that matter.

 

[JLChafardet]

Originally posted by vaoffroader
As was recommended before, you need to hire a server admin to secure your box. Securing a server is the responsibility of the server owner and not Plesk or any control panel for that matter.

wise words from a wise man!

the System Administrators exists because of this, its a profession, and its meant to help (for a price) others to keep their businesses safe. (or as safest as possible, as such thing as 100% secure can be achieved only by turning off the computer)

 

[PE-Steve]

Honestly... stop accusing Plesk because your server was hacked. It's obvious that you have no knowledge of server administration or security just by the depth of your posts. If you think Plesk is insecure, switch to a different control panel. There's no doubt you'll be complaining due to a hacked server in a very short period of time.

If you think ANY server running ANY control panel is secure as it is handed to you from a fresh install, think again!

 

[JoaoCorreia]

Plesk ...

Well I think Plesk has some responsability , since they make available for a fee an aplication vault who's packages have faults. They should provide a way to protect your server from it or dont provide the apps.

Plesk is suposed to serve the hosting industry, easier and safe management of large quantities of domains.
Thats not whats happening in my opinion.


Having mod_security is very nice but it increases the CPU load very much !

What I think is best is to install a VPS server like XEN and do regular backups, and have a "UNSAFE" host for those type of unsafe apps.

I refuse to host Mambos, PHPNUkes, phpBB, etc ...


Regards
Joao Correia

 

[Markus@]

PSA = Plesk Server Administrator

Here is the deal:

- it does not secure php on the way it is needed to be
- it does not szecure /tmp folder so scripts can be uploaded and executed
- it does not have a descend back-up/restore function
- it does not check file permissions
- it does not upgrade it is supposed to be
- on 5 servers with same os, same hw, same sf, i get 5 different errors during installation

- you pay for language packs and when you upgrade they dissapear and leave 2000 errors in client.
- you pay for an application vault and your server gets hacked via MAMBI(wich is proven)

 

[PE-Steve]

Which is why any SMART host does not allow the use of the application vault packages. There are around 30 applications, none of them will always be updated, and if they are, that doesn't mean the users running these applications are going to update their packages.

Let customers install their own applications, or do it for them, directly from the developers' website.

 

[Markus@]

This makes no sense, selling applications, but its insecure...

It really does not make any sense.

Why sell them??????????

The reason i bought the applications is to get no emails of configuration of mambo, phpbb forum etc... everybody is using it, with or without plesk.

 

[PE-Steve]

Because it's impossible for Plesk or anyone to keep 30 applications up to date, unless they're releasing Plesk updates every other day.

 

[vaoffroader]

What Application Vault, Fantastico, and Installatron all provide is an easy end user install for several number of different packages but they do not support the packages them selves. Some of the packages in these installers may not be the newest version available.

It is your responsiblity as a hosting provider to secure and lock down your servers period. You will always have an end user running an out dated or insecure script at some time or another. By securing your servers you will be able to prevent the hack or at worst case isolate the hack to that one user with out having your server rooted.

 

[Traged1]

First, you really need to start with some basics.

1. Secure your own /tmp partition, this is not the responibility of PLESK but yours as the system admin.

2. Install mod_security, and BDF so what if it uses a bit of CPU, you will not have 5 days of downtime, don't you think the trade off is worth it?

3. Do manual backups each night or at least once a week.

4. If you do not want to use the PLESK backup funtions purchase Acronis True Image and dump a full disk image each night.

5. Keep an eye on your servers, their processes and the scripts that are being run on your servers. If you cannot manage this yourself, hire someone who can.

6. Do not offer SHELL, SSH or remote access on shared servers.

7. Screen your customer signups and do not use auto-sign up scripts.

8. Do not allow customers to sign up with "Free Email Addresses" such as hotmail, yahoo ect..

9. Do a call back to your customers when they sign up to confirm they have provided a valid phone number.

10. Remember, the more you automate, the more you sacrifice security.

11. Keep all system OS's up2date.

12. Enfore patches to customer scripts which are exploitable, or disable them by changing permissions.

13. Look in to GRSEC or SELINUX Kernels. And apply them if possible.

There are so many duries of an admin, so keep researching all the time, Systems cannot be setup and then left alone to run themselves.

 

[JLChafardet]

another wise words, from a wiser man.

Markus, SW-SOFT sells Control Panels, not SECURITY software, if you want to keep your servers secure you only have 2 options, learn System Administration (and keep reading/learning every every everey day) or hire someone to do the job.

 

[NightStorm]

I think what the primary complaint comes back to is not that Plesk is not securing the server at install, but that swsoft is charging its customers for the use of the Application Vault, and distributing exploitable packages inside of it.
Securing the /tmp is only a partial fix... it will not prevent direct execution of scripts (using /tmp/filename as a full path). The phpBB exploit that utilized this was "patched" to work around the noexec within a week of the "fix" being made public.
mod_security, I have yet to see any significant CPU usage. Perhaps on a setup using thousands of rules, but one most definately would not need to go to such an extreme to secure their server.
backups through Plesk ****. THOSE use CPU, and a lot of it... and even when they complete, it's hit&miss as to whether they will be of any use for anything more than drivespace eaters. It's sad that you have to dump money into an expensive Control Panel just to get a usable backup out of it, but in this case, it's necessary. Take the money you'll be saving from not having to pay for a useless Application Vault and put it towards that instead.
cPanel has a neat feature in it, that I really wish Plesk would utilize in their systems. It's a monitor that will send a mail to the server admin whenever a file is uploaded that uses the mail() command. It's also got process killers, and Chirpy (the mod over there) has written an absolutely phenominal firewall/login detection script that blows APF/BFD out of the water, and is vastly superior to the module for iptables that Plesk slapped together (it was a nice attempt, but far from enough to make it feasable).
6-10 are obviously an "Oh yeah" situation. Can't add any more to it than that. Modernbill, if you chose to semi-automate, allows you to block certain email addresses. gmail, hotmail, yahoo, and bluebottle.com are at the top of my list.
As for up2date, also check into ART's yum repository. He's pretty good about keeping things stable and current... better than most OS venders, and I would say better than swsoft too.