• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Security leak?

H

HansUnland

New Pleskian
Hallo All,

I'm a newbie here and registered because I had a scaring effect in my root-server. It is running Parallels Plesk Panel 11.0.9 under CentOS. Last automatic update was at May, 27th 3:24. At least this time an e-mail from Autoinstaller came in.

Yesterday I did a look into my blog, which is on a .org domain. But I only saw the message "Hier entsteht eine neue Internetpräsenz!". It means that there is a new website under construction.

So I opened my Plesk Panel and found the mentioned .org domain locked (red round marker). The popup-message was "Diese Domain ist gesperrt". First I thought the German authorities had locked it. It is somewhat dangerous in Germany with free speech in a blog. I asked my provider whether there is some locking made by them. But they didn't know.

So I tried to unlock the domain using Plesk. No way. It answered all the time with error messages.

Then I opened a root-session using SSH terminal and unlocked the domain with /usr/local/psa/bin/domain --on {domainname}.org. This worked.

Ok, the website is available again now. A look into the blog-statistics showed me that the last blog access was at May, 28th around 3:00. From this time the website was locked.

I have no idea how this can happen. Is it possible that there is a security leak in the newest version?

Kind regards
Hans
 
Check the expiry date on your subscription.

Was this server setup about a year ago?
If so, the default expiry date of 1 year had not been changed.



Also; these are questions your hosting provider should look into, not Parallels.
 
Hallo StéphanS,

Many thanks for your very useful answer.

StéphanS said:
Check the expiry date on your subscription.

Was this server setup about a year ago?
If so, the default expiry date of 1 year had not been changed.
Click to expand...

The server setup was in February 2013. And also there is no expiry. The use of Parallels is part of the contract.

StéphanS said:
Also; these are questions your hosting provider should look into, not Parallels.
Click to expand...

It is a root server, my provider does not access it.

Nevertheless; just before I found my .org domain locked again. I guess there is either a backdoor open or someone read my password.

Kind regards
Hans
 
BoMbY said:
Sounds more like an incomplete backup task, with the offline-option enabled, to me.
Click to expand...

Very much possible aswell!
But the error message normally clearly states that this is the reason.


OP; can you post the error messages you get when trying to re-enable?
 
Hallo All,

Yesterday I disabled the suexec-module of Apache. Didn't help. Today morning I found my domain locked again. Ok, there were some suspicious entries in access_log and error_log. Therefore disabling of suexec was just a try.

So I changed all user-passwords in the morning, although this cannot be the leak. I have all passwords in mind and nobody else knows or could guess.

BoMbY said:
Sounds more like an incomplete backup task, with the offline-option enabled, to me.
Click to expand...

Yes, this makes sense. Just now I gave it a look. In fact the offline option was enabled. I disabled this feature now.

Many thanks for your input. Will let you know.

Kind regards
Hans
 
Here is some further information on the Plesk 9.0 to 9.2.3 phppath vulnerability that came from further investigation. The flaw is in 9.0 to 9.2.3, but can move forward to later versions on Ubuntu and Debian with certain non-typical upgrade paths that do not include sequential updating to 9.5.x. See here for more details: http://kb.parallels.com/116241. Fixes are already issued in corresponding MU articles.
 
Check your domain status and enable it if it was disabled.
Run /etc/cron.daily/50plesk-daily
Check the status again. If domain is disabled, then you have problems with limits. Check overuse policy for this domain, and domain limits.
 
Hallo once more,

As of today no domain locked anymore. So it was the offline option in connection to hanging backup. Many thanks to BoMbY and All for your help.

Kind Regards
Hans
 
You must log in or register to reply here.

Similar threads

A
Question Some security questions
Replies
2
Views
710
amba1980
A
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
2K
Lenny
Lenny
K
Log viewer shows a lot of error messages for "extension/letsencrypt" daily (after latest update to 18.0.50)
Replies
3
Views
2K
Peter Debik
P
Kulturmensch
Question resolv.conf problems with Ubuntu 22.04 LTS
Replies
13
Views
19K
learning_curve
learning_curve
A
Resolved Trying to set up email
2
Replies
20
Views
6K
fonorola
F
Back
Top