1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk Server Hacked - New Exploit?

Discussion in 'Plesk for Linux - 8.x and Older' started by schlimpf, Jan 1, 2013.

  1. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    Hey,

    I know that Plesk 8.6 is a really old version of the plesk panel. We already upgraded to version 11 on our new server, but had the old version running until the complete migration was finished.
    After the complete migration, we left the server running until now. Our provider told us that there are outgoing ddos attacks from our server.
    I investigated the problem and for now I found the following files:
    Code:
    /usr/local/psa/tmp/app-data.d/
    /usr/local/psa/tmp/app-data.d/.wapi/
    /usr/local/psa/tmp/app-data.d/.wapi/logs/
    /usr/local/psa/tmp/app-data.d/.wapi/-sh
    /usr/local/psa/tmp/app-data.d/.wapi/start
    /usr/local/psa/tmp/app-data.d/.wapi/vhosts
    /usr/local/psa/tmp/app-data.d/.wapi/zmeu.help
    /usr/local/psa/tmp/app-data.d/multi.tgz
    /usr/local/psa/tmp/app-data.d/multi.tgz.1
    /tmp/multi.tgz
    /tmp/.wapi/
    /tmp/.wapi/logs/
    /tmp/.wapi/logs/zmeu.log
    /tmp/.wapi/r
    /tmp/.wapi/r/away
    /tmp/.wapi/r/insult
    /tmp/.wapi/r/kicks
    /tmp/.wapi/r/nicks
    /tmp/.wapi/r/pickup
    /tmp/.wapi/r/say
    /tmp/.wapi/r/signoff
    /tmp/.wapi/r/tar
    /tmp/.wapi/r/tsay
    /tmp/.wapi/r/versions
    /tmp/.wapi/.user
    /tmp/.wapi/1bil
    /tmp/.wapi/2bil
    /tmp/.wapi/85.214.xxx.xxx.user (our ip)
    /tmp/.wapi/85.214.xxx.xxx.user (second ip)
    /tmp/.wapi/autorun
    /tmp/.wapi/core.20163
    /tmp/.wapi/core.20165
    /tmp/.wapi/harlam.seen
    /tmp/.wapi/inst
    /tmp/.wapi/joel.seen
    /tmp/.wapi/LinkEvents
    /tmp/.wapi/pico
    /tmp/.wapi/run
    /tmp/.wapi/-sh
    /tmp/.wapi/start
    /tmp/.wapi/update
    /tmp/.wapi/vhosts
    /tmp/.wapi/zakeus.seen
    /tmp/.wapi/zmeu.cron
    /tmp/.wapi/zmeu.dir
    /tmp/.wapi/zmeu.help
    /tmp/.wapi/zmeu.ini
    /tmp/.wapi/zmeu.lvl
    /tmp/.wapi/zmeu.pid

    It seems that the files came from the plesk temp folder where an archive "multi.tgz" was installed copied to the /tmp folder.
    The multi.tgz archive contains the .wapi folder.
    For those interested in the files, I uploaded the multi.tgz archive to my dropbox:
    https://www.dropbox.com/s/le5ftj8wgsygc81/multi.tgz
    And also the /tmp/.wapi folder which contains more files than the "original" multi.tgz:
    https://www.dropbox.com/s/rc8pnw4c8i0smgu/.wapi.rar

    The malware_removal_script_linux_8.php (http://kb.parallels.com/en/115025) does not remove this malware and the vulnerability checker (http://kb.parallels.com/en/113424) says "The patch has been successfully applied"

    Maybe the plesk team can investigate this. I did not find anything about this exploit.
     
    Last edited: Jan 1, 2013
  2. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    bump --------------
     
  3. WagnerC

    WagnerC New Pleskian

    6
     
    Joined:
    Sep 26, 2013
    Messages:
    1
    Likes Received:
    0
    I have the same problem here:
    ll -t web-master:/tmp/.../
    -rw-r--r-- 1 wwwrun www 1386851 Sep 26 09:57 LinkEvents
    -rw-r--r-- 1 wwwrun www 1054 Sep 26 09:00 zmeu.lvl
    drwxr-xr-x 2 wwwrun www 264 Sep 25 21:51 r
    drwxr-xr-x 2 wwwrun www 72 Sep 25 21:50 logs
    -rw-r--r-- 1 wwwrun www 106 Sep 23 17:00 10.0.0.98.user
    -rw-r--r-- 1 wwwrun www 75031 Sep 23 17:00 hung.seen
    -rw-r--r-- 1 wwwrun www 106 Sep 23 15:00 10.0.0.99.user
    -rw-r--r-- 1 wwwrun www 70208 Sep 23 15:00 danna.seen
    -rw------- 1 wwwrun www 5 Aug 13 12:17 zmeu.pid
    -rw-r--r-- 1 wwwrun www 114 Aug 8 21:36 10.199.199.1.user
    -rwxr--r-- 1 wwwrun www 160 Aug 8 21:36 update
    -rw-r--r-- 1 wwwrun www 42 Aug 8 21:36 zmeu.cron
    -rw-r--r-- 1 wwwrun www 9 Aug 8 21:36 zmeu.dir
    -rw-r--r-- 1 wwwrun www 2243 Aug 8 21:36 zmeu.ini
    -rw-r--r-- 1 wwwrun www 33 Aug 8 21:36 vhosts
    -rwxr-xr-x 1 wwwrun www 8936 May 17 11:06 inst
    -rwxr-xr-x 1 wwwrun www 583 Mar 13 2013 start
    -rwxr-xr-x 1 wwwrun www 329 Feb 12 2013 autorun
    -rwxr-xr-x 1 wwwrun www 174937 Mar 9 2011 pico
    -rwxr-xr-x 1 wwwrun www 29 Jan 18 2010 run
    -rwxr-xr-x 1 wwwrun www 502759 Jan 18 2010 -sh
    -rwxr-xr-x 1 wwwrun www 22882 May 15 2003 zmeu.help

    schlimpf, you already get some help ?
    Thanks !
     
  4. schlimpf

    schlimpf Basic Pleskian

    11
    85%
    Joined:
    Jul 25, 2012
    Messages:
    37
    Likes Received:
    0
    WagnerC, no, we did not get any help.
    You should consider the server as hacked, there may have been inserted more backdoors somewhere else.
    If you need assistance you can contact me.
     
Loading...