• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Security Concern

P

poopster

Guest
Lately I have been getting this in event viewer application log. I looked around my hd and noticed someone has been uploading mp3's to some tucked away directory on one of my servers that has plesk (7.6.1) installed.

I am not sure whats going on here, but does anyone know what the applysecurity.exe does?

Is anyone aware of a security hole?

Any help would be greatly appreciated.


PathCombine failed for dir W:\System Volume Information\_data\MP3-US\0704\VA-DJ_Chuck_T_Trae_And_Kiotti_Presents_Down_South_Slangins_Class_Of_2k6-Street_Hustlenomics-(Bootleg)-2006-RAGEMP3 and fileName 00-va-dj_chuck_t_trae_and_kiotti_presents_down_south_slangins_class_of_2k6-street_hustlenomics-(bootleg)-(back).jpg
at (VFileName::combine line 105)
at execute console command --apply(vconsoleapp::start line 128)
at execute "C:\Program Files\SWsoft\Plesk\admin\bin\ApplySecurity.exe" --apply(vconsoleapp::run line 138)
Execute file name: C:\Program Files\SWsoft\Plesk\admin\bin\ApplySecurity.exe

When I checked this directory it is loaded with mp3's. Apparently someone is able to upload to the server.
I am not sure or how they are able to download.

Any help would be greatly appreciated.


Regards,

Poopster
 
Here is another entry from event viewer.

The directory is not empty. (Error code 145) at delete directory \\?\C:\WINDOWS\TEMP\{RUNTASK--17ab13b6-85cf-11db-96fe-00304856aaf9}
at (removeDir line 247)
at Unable to execute event(runtask::start line 208)
Execute file name: C:\Program Files\SWsoft\Plesk\admin\bin\runtask.exe

Anyone have any idea how this person is able to execute these exe's remotely?

I have windows firewall on with a few exceptions. I have file & print sharing and MS clients tuned off.

Anyone have any advice on how to monitor how this person is getting in?

Regards,

Poopster
 
I was wondering if someone could confirm the following plesk task running every night at: 11:16pm


Plesk apply Security Task


"C:\Program Files\SWsoft\Plesk\admin\bin\ApplySecurity.exe" --apply
I would like to make sure this is supposed to be there.


Thank you
 
You must log in or register to reply here.

Similar threads

P
Question Drupal CMS 1.0 with Plesk: Composer PATH issue for automatic updates
Replies
7
Views
2K
horvan
H
A
Resolved 500 Plesk\Exception\Database
Replies
1
Views
2K
ayadai
A
C
Issue Getting error when trying to set SmarterMail 14.7 to be default email server
Replies
10
Views
3K
scsa20
scsa20
A
Question Some security questions
Replies
2
Views
1K
amba1980
A
R
Issue "Warning: (Mail object 'domain.se') unable to
Replies
4
Views
2K
Nik G
N
Back
Top