Plesk Server Hacked - New Exploit?

[schlimpf]

Hey,

I know that Plesk 8.6 is a really old version of the plesk panel. We already upgraded to version 11 on our new server, but had the old version running until the complete migration was finished.
After the complete migration, we left the server running until now. Our provider told us that there are outgoing ddos attacks from our server.
I investigated the problem and for now I found the following files:

/usr/local/psa/tmp/app-data.d/
/usr/local/psa/tmp/app-data.d/.wapi/
/usr/local/psa/tmp/app-data.d/.wapi/logs/
/usr/local/psa/tmp/app-data.d/.wapi/-sh
/usr/local/psa/tmp/app-data.d/.wapi/start
/usr/local/psa/tmp/app-data.d/.wapi/vhosts
/usr/local/psa/tmp/app-data.d/.wapi/zmeu.help
/usr/local/psa/tmp/app-data.d/multi.tgz
/usr/local/psa/tmp/app-data.d/multi.tgz.1
/tmp/multi.tgz
/tmp/.wapi/
/tmp/.wapi/logs/
/tmp/.wapi/logs/zmeu.log
/tmp/.wapi/r
/tmp/.wapi/r/away
/tmp/.wapi/r/insult
/tmp/.wapi/r/kicks
/tmp/.wapi/r/nicks
/tmp/.wapi/r/pickup
/tmp/.wapi/r/say
/tmp/.wapi/r/signoff
/tmp/.wapi/r/tar
/tmp/.wapi/r/tsay
/tmp/.wapi/r/versions
/tmp/.wapi/.user
/tmp/.wapi/1bil
/tmp/.wapi/2bil
/tmp/.wapi/85.214.xxx.xxx.user (our ip)
/tmp/.wapi/85.214.xxx.xxx.user (second ip)
/tmp/.wapi/autorun
/tmp/.wapi/core.20163
/tmp/.wapi/core.20165
/tmp/.wapi/harlam.seen
/tmp/.wapi/inst
/tmp/.wapi/joel.seen
/tmp/.wapi/LinkEvents
/tmp/.wapi/pico
/tmp/.wapi/run
/tmp/.wapi/-sh
/tmp/.wapi/start
/tmp/.wapi/update
/tmp/.wapi/vhosts
/tmp/.wapi/zakeus.seen
/tmp/.wapi/zmeu.cron
/tmp/.wapi/zmeu.dir
/tmp/.wapi/zmeu.help
/tmp/.wapi/zmeu.ini
/tmp/.wapi/zmeu.lvl
/tmp/.wapi/zmeu.pid

It seems that the files came from the plesk temp folder where an archive "multi.tgz" was installed copied to the /tmp folder.
The multi.tgz archive contains the .wapi folder.
For those interested in the files, I uploaded the multi.tgz archive to my dropbox:
https://www.dropbox.com/s/le5ftj8wgsygc81/multi.tgz
And also the /tmp/.wapi folder which contains more files than the "original" multi.tgz:
https://www.dropbox.com/s/rc8pnw4c8i0smgu/.wapi.rar

The malware_removal_script_linux_8.php (http://kb.parallels.com/en/115025) does not remove this malware and the vulnerability checker (http://kb.parallels.com/en/113424) says "The patch has been successfully applied"

Maybe the plesk team can investigate this. I did not find anything about this exploit.

 

[schlimpf]

bump --------------

 

[WagnerC]

I have the same problem here:
ll -t web-master:/tmp/.../
-rw-r--r-- 1 wwwrun www 1386851 Sep 26 09:57 LinkEvents
-rw-r--r-- 1 wwwrun www 1054 Sep 26 09:00 zmeu.lvl
drwxr-xr-x 2 wwwrun www 264 Sep 25 21:51 r
drwxr-xr-x 2 wwwrun www 72 Sep 25 21:50 logs
-rw-r--r-- 1 wwwrun www 106 Sep 23 17:00 10.0.0.98.user
-rw-r--r-- 1 wwwrun www 75031 Sep 23 17:00 hung.seen
-rw-r--r-- 1 wwwrun www 106 Sep 23 15:00 10.0.0.99.user
-rw-r--r-- 1 wwwrun www 70208 Sep 23 15:00 danna.seen
-rw------- 1 wwwrun www 5 Aug 13 12:17 zmeu.pid
-rw-r--r-- 1 wwwrun www 114 Aug 8 21:36 10.199.199.1.user
-rwxr--r-- 1 wwwrun www 160 Aug 8 21:36 update
-rw-r--r-- 1 wwwrun www 42 Aug 8 21:36 zmeu.cron
-rw-r--r-- 1 wwwrun www 9 Aug 8 21:36 zmeu.dir
-rw-r--r-- 1 wwwrun www 2243 Aug 8 21:36 zmeu.ini
-rw-r--r-- 1 wwwrun www 33 Aug 8 21:36 vhosts
-rwxr-xr-x 1 wwwrun www 8936 May 17 11:06 inst
-rwxr-xr-x 1 wwwrun www 583 Mar 13 2013 start
-rwxr-xr-x 1 wwwrun www 329 Feb 12 2013 autorun
-rwxr-xr-x 1 wwwrun www 174937 Mar 9 2011 pico
-rwxr-xr-x 1 wwwrun www 29 Jan 18 2010 run
-rwxr-xr-x 1 wwwrun www 502759 Jan 18 2010 -sh
-rwxr-xr-x 1 wwwrun www 22882 May 15 2003 zmeu.help

schlimpf, you already get some help ?
Thanks !

 

[schlimpf]

WagnerC, no, we did not get any help.
You should consider the server as hacked, there may have been inserted more backdoors somewhere else.
If you need assistance you can contact me.