• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Security problem with filemng

Several files infected.

To scan and clean I'm using this command:

grep -ilr 'km0ae9gr6m' /var/www/vhosts | while read arq; do echo $arq; echo $arq >> /root/infected.txt; sed -i 's/km0ae9gr6m[^>]*qhk6sa6g1c/virus removed/g' $arq; done;
 
This is a new plesk vulnerability

Yes, I believe this is a NEW vulnerability.
I have MU17 applied, and the php script says the patch had been successfully applied.

I logged in to find active sessions on almost every account from all over the internet.

I changed the passwords to the admin/client accounts and they just got them AGAIN.
 
Yes, I have the latest using 9.5.4 MU17. It says the vulnerability patch is installed. The passwords were changed. They got the new ones right away, not much protection there. I just found over 100 active sessions from all over the internet.

This is a NEW vulnerability.
 
I also think it's a NEW vulnerability, my servers were all updated with the microupdate and were exploited.

Only the ones with Atomic Secured Linux were not affected.

I'm also using this command to clean the infected files (slightly different from my previous post):

grep -ilr 'km0ae9gr6m' /var/www/vhosts/ | while read arq; do echo $arq; echo $arq >> /root/infected.txt; sed -ni '1h;1!H;${x;s/km0ae9gr6m.*qhk6sa6g1c/virus removed/;p}' $arq; done;
 
Likewise, I have the patch installed, auto-changed all passwords and cleaned out the infected files on Friday, but have been compromised again this morning. This must be a NEW vulnerability. Any help is appreciated!
 
I´m sure its a NEW vulnerability too. Parallels support didn´t do anything, they answer to find a administrator :-(
 
I was patched on one server, unpatched on another. Both were penetrated. After patching the second server, then changing the client account passwords, the Plesk logs show the exploits are failing at the control panel login.

I'm also using corncrake's script via cron for monitoring the files, which is very handy. Thanks, corncrake!
 
It is NOT new vulnerability. We strongly recommend you remove all records in 'sessions' table of psa database after mass password changing.

Use something like:

mysql> delete from sessions;
 
Last edited:
Yea, same here. Had the patch applied.

Can only guess that the passwords (which are stored in plain text in MySQL who's root password is located in /etc/psa/.psa.shadow wtf?) were compromised during the last exploit.
 
Yea, same here. Had the patch applied.

Can only guess that the passwords (which are stored in plain text in MySQL who's root password is located in /etc/psa/.psa.shadow wtf?) were compromised during the last exploit.

Generally, you should:

(1) apply fixes <-- http://kb.parallels.com/113321
(2) reset all passwords and make sure your clients don't change the passwords back <-- mail passwords could be skipped
(3) remove sessions records from psa db <-- mysql> delete from sessions;
(4) remove infected files <-- http://forum.parallels.com/showpost.php?p=630228&postcount=24

It should help.
 
Last edited by a moderator:
I will enable our admin panel again on one of our "less important" plesk servers and see what happens with the sessions table cleared and let you know.

hehe .. BAIT!
 
I will enable our admin panel again on one of our "less important" plesk servers and see what happens with the sessions table cleared and let you know.

hehe .. BAIT!

Do not forget change ALL passwords there before test.
 
php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` 'hurrrrderp' --users --domains --domainadmins --admin

Is the command I used.

I didn't want to reset everybody's mail password as I didn't think that was necessary.
If it is, that will totally suck.
 
I didn't want to reset everybody's mail password as I didn't think that was necessary.
Ok. But in that case we can't talk about Plesk vulnerability consequences. Patch will not allow new attacks but already stolen passwords allows hackers to install any trojans on your already protected by patch Plesk server.

Read "Best Practices" here http://kb.parallels.com/en/113321
 
I have found the client account they had been using to access and have now locked it down and changed all the passwords again. Will monitor the situation but I don't believe it is a new vulnerability any more.
 
Was done though the interface on multiple servers (different passwords and so) using interface and filemanager.
@Igor there wasn't any sing then that it was hacked, patch was applied in the same day it was released.
And will be kind of odd to actually break a server after some time
 
My plesk admin site log is full of lines like this:

2012-07-09 00:38:38 W3SVC16922 XXX 216.x.x.x GET /plesk.php/client@97/domain@240/hosting/file-manager/edit/ cmd=chdir&file=/httpdocs/ 8443 - 182.93.234.129 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/536.5+(KHTML,+like+Gecko)+Chrome/15.0.1084.56+Safari/546.5 PLESKSESSID=8594fbb307a4224f265af04f2c899c4f;+locale=en-US;+psaContext=domains https://domain.com:8443/plesk/clien.../file-manager/edit/?cmd=chdir&file=/httpdocs/ domain.com:8443 200 0 0 66324 469 19453

Scary. Time to reset passwords.

I applied the fix months ago. Does this mean the hackers dumped our databases months ago?

Mark
 
Back
Top