• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Security problem with filemng

All the passwords were changed, none of the passwords were changed back yet the vulnerability still exists.
Not good.
 
I'll add my two cents.

Even if you follow the best practices there is still the possibility of backdoors, usually PHP shells stashed away in previously compromised websites. Since the attackers used the Plesk File manager, finding traces of these in logs is almost impossible as opposed to FTP uploads and xferlogs. You need to find these quickly and deal with them.

I came across a tool that helped track down specific malware signatures that us webhosters deal with regularly, and it's sad that there are few other tools out there to address this common problem. I use Malware Detect, or maldet, and it has made a significant difference since neither Clamav nor Rootkit Hunter are designed for these types of threats. http://www.rfxn.com/projects/linux-malware-detect/

It is quite good at detecting base64 or other types of encoded malware, although I suggest disabling the quarantine feature so you can deal suspect files manually since it has a tendency to flag all encoded files as suspect. But this is a good type of paranoia, in my opinion. Intruders will sometimes add random text as PHP comments to make base64 signatures even harder to detect consistently, so reviewing these files individually becomes necessary.

For Windows, you can use the signature files that come with maldet to scan with Clamwin with a command similar to
Code:
c:\progra~1\clamwin\bin\clamscan.exe --database=c:\rfxndb -r --infected --max-filesize=2M --log=c:\rfxnscan.log %plesk_vhosts%
where --database=c:\rfxndb is where you copied the latest rfxn.hdb and rfxn.ndb maldet signature files and --log=c:\rfxnscan.log will the be the scan results.


Do not underestimate your customer's ignorance as though you may tell them to NOT re-use their old compromised passwords, they may not take you seriously or someone else within their organization who hasn't been made aware will restore the old credentials. For this reason I have renamed or chmodded the get_password.php to be unreadable in case someone within the customer's entourage can't login because of the password change, goes through the "Forgot your Password" procedure and puts back his old password. This forces them to call your technical support department instead. What I really want to do is replace get_password.php with a more polite page asking to contact us for password problems, when I have the time.

I had a customer restore his old password RIGHT IN THE MIDDLE OF A BOT SCAN and his site was compromised less than two hours later!
 
Lol, excellent post scooby.

I've used R-fx network's stuff before, (apf + bfd) and found then quite reliable so I will give that idea a go.

Excellent suggestion on the forgotten password thing too.

Regards,
Chris
 
Let me know how it turns out for you. A colleague of mine ran this for the first time and he nearly had a heart attack once he realized that what he considered to be a relatively clean server had dozens of PHP Shells, IRC bots, malware droppers and iFrame linkspam in many sites. This tool can be quite an eye-opener.
 
Yes, you are correct. Old Plesk versions like 8.1 do not have the MicroUpdates mechanism.

Hey Mate, after running the update, when I login to plesk and search for a domain and click on it, I am presented with a white page with the toolbar down the left.
Other areas seem fine but I can't get into the domain page to add/edit emails, etc.

Any ideas?

Running Plesk 8.1 and JUST applied http://kb.parallels.com/en/114378

Was working fine before that.

Here is the error I get when I enable display_errors.
Fatal error: Cannot redeclare hardquota_enabled() in /usr/local/psa/admin/plib/class.SysUser.php on line 933

Please help, I can't manage/modify/add/remove ANY domains on this server at the moment.

Cheers.
 
Last edited:
Today on almost all servers (even updated with latest PLESK) I got hacked. I get the c3284d type of virus (C99 Shell), still dunno how and why on all servers today. SO if anyone have a hint, let me know.
Now I play with clamscan and maldet :-(
 
Today on almost all servers (even updated with latest PLESK) I got hacked. I get the c3284d type of virus (C99 Shell), still dunno how and why on all servers today. SO if anyone have a hint, let me know.
Now I play with clamscan and maldet :-(

Did you see any suspicious activity in the Plesk Action Log?
 
Back
Top