Security problem with filemng

[AlexandreS]

Several files infected.

To scan and clean I'm using this command:

grep -ilr 'km0ae9gr6m' /var/www/vhosts | while read arq; do echo $arq; echo $arq >> /root/infected.txt; sed -i 's/km0ae9gr6m[^>]*qhk6sa6g1c/virus removed/g' $arq; done;

 

[galaxy]

This is a new plesk vulnerability

Yes, I believe this is a NEW vulnerability.
I have MU17 applied, and the php script says the patch had been successfully applied.

I logged in to find active sessions on almost every account from all over the internet.

I changed the passwords to the admin/client accounts and they just got them AGAIN.

 

[galaxy]

Yes, I have the latest using 9.5.4 MU17. It says the vulnerability patch is installed. The passwords were changed. They got the new ones right away, not much protection there. I just found over 100 active sessions from all over the internet.

This is a NEW vulnerability.

 

[AlexandreS]

I also think it's a NEW vulnerability, my servers were all updated with the microupdate and were exploited.

Only the ones with Atomic Secured Linux were not affected.

I'm also using this command to clean the infected files (slightly different from my previous post):

grep -ilr 'km0ae9gr6m' /var/www/vhosts/ | while read arq; do echo $arq; echo $arq >> /root/infected.txt; sed -ni '1h;1!H;${x;s/km0ae9gr6m.*qhk6sa6g1c/virus removed/;p}' $arq; done;

 

[Dunc32]

Likewise, I have the patch installed, auto-changed all passwords and cleaned out the infected files on Friday, but have been compromised again this morning. This must be a NEW vulnerability. Any help is appreciated!

 

[dgarciap]

I´m sure its a NEW vulnerability too. Parallels support didn´t do anything, they answer to find a administrator :-(

 

[rbstern]

I was patched on one server, unpatched on another. Both were penetrated. After patching the second server, then changing the client account passwords, the Plesk logs show the exploits are failing at the control panel login.

I'm also using corncrake's script via cron for monitoring the files, which is very handy. Thanks, corncrake!

 

[IgorG]

It is NOT new vulnerability. We strongly recommend you remove all records in 'sessions' table of psa database after mass password changing.

Use something like:

mysql> delete from sessions;

 

[Squeeb]

Yea, same here. Had the patch applied.

Can only guess that the passwords (which are stored in plain text in MySQL who's root password is located in /etc/psa/.psa.shadow wtf?) were compromised during the last exploit.

 

[IgorG]

Yea, same here. Had the patch applied.

Can only guess that the passwords (which are stored in plain text in MySQL who's root password is located in /etc/psa/.psa.shadow wtf?) were compromised during the last exploit.

Generally, you should:

(1) apply fixes <-- http://kb.parallels.com/113321
(2) reset all passwords and make sure your clients don't change the passwords back <-- mail passwords could be skipped
(3) remove sessions records from psa db <-- mysql> delete from sessions;
(4) remove infected files <-- http://forum.parallels.com/showpost.php?p=630228&postcount=24

It should help.

 

[MihaiV]

@IgorG it cannot be http://kb.parallels.com/en/113321 because at least for us servers had the patch applied long time ago and trojan was installed yesterday.

 

[IgorG]

@IgorG it cannot be http://kb.parallels.com/en/113321 because at least for us servers had the patch applied long time ago and trojan was installed yesterday.

In that case why do you think that trojan was installed because of Plesk vulnerability?
Did you clean sessions immediately after changing ALL passwords long time ago?

 

[Squeeb]

I will enable our admin panel again on one of our "less important" plesk servers and see what happens with the sessions table cleared and let you know.

hehe .. BAIT!

 

[IgorG]

I will enable our admin panel again on one of our "less important" plesk servers and see what happens with the sessions table cleared and let you know.

hehe .. BAIT!

Do not forget change ALL passwords there before test.

 

[Squeeb]

php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` 'hurrrrderp' --users --domains --domainadmins --admin

Is the command I used.

I didn't want to reset everybody's mail password as I didn't think that was necessary.
If it is, that will totally suck.

 

[IgorG]

I didn't want to reset everybody's mail password as I didn't think that was necessary.

Ok. But in that case we can't talk about Plesk vulnerability consequences. Patch will not allow new attacks but already stolen passwords allows hackers to install any trojans on your already protected by patch Plesk server.

Read "Best Practices" here http://kb.parallels.com/en/113321

 

[Dunc32]

I have found the client account they had been using to access and have now locked it down and changed all the passwords again. Will monitor the situation but I don't believe it is a new vulnerability any more.

 

[MihaiV]

Was done though the interface on multiple servers (different passwords and so) using interface and filemanager.
@Igor there wasn't any sing then that it was hacked, patch was applied in the same day it was released.
And will be kind of odd to actually break a server after some time

 

[AndresT]

Having the same issue, cleaning the websites with the scripts provided, TY

 

[markytx]

My plesk admin site log is full of lines like this:

2012-07-09 00:38:38 W3SVC16922 XXX 216.x.x.x GET /plesk.php/client@97/domain@240/hosting/file-manager/edit/ cmd=chdir&file=/httpdocs/ 8443 - 182.93.234.129 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1)+AppleWebKit/536.5+(KHTML,+like+Gecko)+Chrome/15.0.1084.56+Safari/546.5 PLESKSESSID=8594fbb307a4224f265af04f2c899c4f;+locale=en-US;+psaContext=domains https://domain.com:8443/plesk/clien.../file-manager/edit/?cmd=chdir&file=/httpdocs/ domain.com:8443 200 0 0 66324 469 19453

Scary. Time to reset passwords.

I applied the fix months ago. Does this mean the hackers dumped our databases months ago?

Mark