Issue Plesk server hacked

[Luiz_Gustavo]

Hello,

A customer plesk running Ubuntu 12.08 and Plesk 12.0.18 was hacked tonight.
He sents a file to one subscription using a vulnerable uploadfy.swf on that site, after upload the file the hacker change something in users shadow or other that I dont understand and run a su with root

su[21158]: Successful su for r00t by www-data
su[21158]: pam_unix(su:session): session opened for user r00t by (uid=33)

After successfull "su" he run a script that changes all INDEX.PHP in all subscriptions (more than 500)

My thechnician restor the user files and the server, after this issue we upgrade the plesk to 17.0.18 and update all Ubuntu 12 packages.

Any ideia to help me prevent another problem like this?

Thanks for any help,

Gustavo

 

[IgorG]

we upgrade the plesk to 17.0.18 and update all Ubuntu 12 packages.

It would be better to migrate to latest Plesk Onyx 17.5 installed on Ubuntu 16.0.4. A lot of security issues were fixed there and Security Advisor extension was implemented.

 

[Luiz_Gustavo]

Hi Igor,

I’ll do it as soon as possible, but we have many servers with same configuration. I need to prevent problems like this until we have time to plan and migrate.

Do you Know if I can do a dist-upgrade to 14 and 16 followed by Plesk upgrade. I afraid this procedure break something, the correct is a fresh install and migrate with Plesk migrator, but only in this server there areas 500 sites and more than 2.500 email accounts

 

[IgorG]

Distupgrade is possible Dist-Upgrade Support
But I'd not recommend it. In my opinion, potentially it is more dangerous than Plesk migration.

 

[Luiz_Gustavo]

Thanks Igor, I will migrate to a new server...