Security problem with filemng

[Schlatter]

Hello

i have the same issue.

logfile:
xxx domain.com:8443 - [09/Jul/2012:03:25:26 +0200] "GET /plesk/client@72/domain@122/hosting/file-manager/ HTTP/1.1" 303 0 "https://domain.com:8443/plesk/client@72/domain@122/hosting/file-manager/edit/?cmd=chdir&file=/httpdoc
s/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/15.0.1084.56 Safari/546.5"

plesk 9.5.2

 

[markytx]

I've changed my admin password.

IgorG: I use PBAS. If I change the user's passwords, won't that break the connection to PBAS?

 

[pstechnology]

Hi. How did you identify which client account was being used?
Thanks

 

[pstechnology]

Can I also ask, as I am having same problem, Applied the patch, and still getting hacked several times per day. See http://nakedsecurity.sophos.com/2012/07/05/pseudo-random-domain-name-generation-and-blackhole/ for details of how we are being hacked.

When changing ALL passwords, does also equal user email passwords? Thanks

 

[Squeeb]

/var/log/audit/audit.log and /var/log/secure.log.* are your friends.

You'll have to convert from unix epoch to human readable time on audit.log.

You can marry up the user authenticating via the plesk admin panel with the users present in either of those log files by using the timestamp.
That'll let you know which user was compromised.

However, the only way to be sure an attacker cannot repeat the hack using a different username / password combination is to change all the unix user passwords, so that would be site / hosting users etc..

I wouldn't imagine mail users would have this issue as they are virtual users and not unix users.

 

[markytx]

I've changed only my admin password for now, and emptied the session table. Waiting to see it it happens again.

Note that on Windows the SQL or MySQL password is really hard to find.

I also have the complication of PBAS and Expand that prevents me from upgrading my Plesk installs.

 

[markytx]

According to this site: http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ the problem is Plesk-specific and brings up an interesting issue. If hackers are gaining access to Plesk, and the servers have already been patched, then either:

1. There's another bug, or
2. Our databases were dumped months ago

Option 2 is especially scary.

 

[sergius]

According to this site: http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ the problem is Plesk-specific and brings up an interesting issue. If hackers are gaining access to Plesk, and the servers have already been patched, then either:

1. There's another bug, or
2. Our databases were dumped months ago

Option 2 is especially scary.

Unfortunately, option 2 is highly probable.

I guess, hackers grabbed Plesk databases and then suspended their violent activity about 2-2.5 months ago in order to lull Plesk owners' vigilance.
Now we are observing new round of the exploit that is based on the grabbed Plesk databases.

Please follow "Best Practices" from http://kb.parallels.com/113321.

Sorry for the inconvenience.

 

[GopalakrishnanA]

Our development team created small executable to remove the script virus pattern from .htm, .html, .php, .asp, .css for windows based plesk control panel websites. We will provide the link soon for all plesk cp users.

 

[galaxy]

I'll have to say that "Option 2" is unlikely, *not* highly probable.

We had changed all the passwords as per the KB, and in less than 24 hours they were back in again with the new passwords. They hacked Plesk again using all the newly generated passwords.

 

[rbstern]

I'll have to say that "Option 2" is unlikely, *not* highly probable.

We had changed all the passwords as per the KB, and in less than 24 hours they were back in again with the new passwords. They hacked Plesk again using all the newly generated passwords.

Did you delete all of the current sessions before changing the passwords?

 

[galaxy]

The server was rebooted before and after (to assure it was clean).

Also, the PBAS server was rebooted...

 

[rbstern]

The server was rebooted before and after (to assure it was clean).

Also, the PBAS server was rebooted...

I don't know enough about Plesk's inner workings to know if a reboot clears the sessions table.

 

[galaxy]

Just restarting plesk is enough. Rebooting is overkill, but you know you have a clean webserver and other services as well, and the caches are cleared. Try it yourself (before and after checking active sessions).

 

[sergius]

They hacked Plesk again using all the newly generated passwords.

Hello, galaxy. Could you, please, provide a bit more information? How have you discovered "they hacked"?
Have you found new infected files? Have you explored log files for operations with infected files? How long "they hacked" your server after you change passwords and clean up sessions? Is this possible someone (your client) changed passwords back? We'd be grateful you to give us as much information as possible about what's happened.
You should understand that we can fix the issue with your assistance only. Thanks.

 

[DaveW_IRE]

Just got cleared up. As the parallels guys are saying, they harvested the psa databases for passwords before the patch was released. So back in febuary, when the patch was released was the time to change all the passwords on ALL your servers running Plesk. On a couple of our boxes we didnt see any suspicious entries in the logs so we assumed that those servers were safe enough. We were wrong, they uploaded their scripts, but luckily we found them quickly and dealt with the situation.

What we really need to know is does anyone have the logs from the initial harvest of passwords, did they take the complete database or just plesk and ftp passwords, do we need to change email passwords aswell if we are running mail on the same servers?

Can we look forward to the plesk agent API being locked down in 9.x?

 

[wiseguy]

How do you monitor login attempts via sw-cp-serverd? I want to see logs of the login attempts (which hopefully fail now after the password changes) before I can be certain that the patch fixed the security issue.

 

[GopalakrishnanA]

Jsvirusfixer - download link

You can download the the virus fixer executable for windows plesk servers from below link jsvirusfixer

 

[yalti]

You can download the the virus fixer executable for windows plesk servers from below link jsvirusfixer

Thanks for great script

 

[MartinSIT]

Same here,

had the break in at february, installed patch and cleaned the system.

on 9.7 and 10.7 however, there were successfully break ins.

they modified the files and placed the maleware java script.
however, i couldn't find any ftp logins? so can anyone tell me
how they modified the files without using ftp?
on some of the webpages there are even dynamic php scripts
which could be used to place code in files...

thanks