Facebook
Twitter
S
Squeeb
Guest
All the passwords were changed, none of the passwords were changed back yet the vulnerability still exists.
Not good.
Not good.
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
Security problem with filemng
- Thread starter galaxy
- Start date
I'll add my two cents.
Even if you follow the best practices there is still the possibility of backdoors, usually PHP shells stashed away in previously compromised websites. Since the attackers used the Plesk File manager, finding traces of these in logs is almost impossible as opposed to FTP uploads and xferlogs. You need to find these quickly and deal with them.
I came across a tool that helped track down specific malware signatures that us webhosters deal with regularly, and it's sad that there are few other tools out there to address this common problem. I use Malware Detect, or maldet, and it has made a significant difference since neither Clamav nor Rootkit Hunter are designed for these types of threats. http://www.rfxn.com/projects/linux-malware-detect/
It is quite good at detecting base64 or other types of encoded malware, although I suggest disabling the quarantine feature so you can deal suspect files manually since it has a tendency to flag all encoded files as suspect. But this is a good type of paranoia, in my opinion. Intruders will sometimes add random text as PHP comments to make base64 signatures even harder to detect consistently, so reviewing these files individually becomes necessary.
For Windows, you can use the signature files that come with maldet to scan with Clamwin with a command similar to
where --database=c:\rfxndb is where you copied the latest rfxn.hdb and rfxn.ndb maldet signature files and --log=c:\rfxnscan.log will the be the scan results.
Do not underestimate your customer's ignorance as though you may tell them to NOT re-use their old compromised passwords, they may not take you seriously or someone else within their organization who hasn't been made aware will restore the old credentials. For this reason I have renamed or chmodded the get_password.php to be unreadable in case someone within the customer's entourage can't login because of the password change, goes through the "Forgot your Password" procedure and puts back his old password. This forces them to call your technical support department instead. What I really want to do is replace get_password.php with a more polite page asking to contact us for password problems, when I have the time.
I had a customer restore his old password RIGHT IN THE MIDDLE OF A BOT SCAN and his site was compromised less than two hours later!
Even if you follow the best practices there is still the possibility of backdoors, usually PHP shells stashed away in previously compromised websites. Since the attackers used the Plesk File manager, finding traces of these in logs is almost impossible as opposed to FTP uploads and xferlogs. You need to find these quickly and deal with them.
I came across a tool that helped track down specific malware signatures that us webhosters deal with regularly, and it's sad that there are few other tools out there to address this common problem. I use Malware Detect, or maldet, and it has made a significant difference since neither Clamav nor Rootkit Hunter are designed for these types of threats. http://www.rfxn.com/projects/linux-malware-detect/
It is quite good at detecting base64 or other types of encoded malware, although I suggest disabling the quarantine feature so you can deal suspect files manually since it has a tendency to flag all encoded files as suspect. But this is a good type of paranoia, in my opinion. Intruders will sometimes add random text as PHP comments to make base64 signatures even harder to detect consistently, so reviewing these files individually becomes necessary.
For Windows, you can use the signature files that come with maldet to scan with Clamwin with a command similar to
Code:
c:\progra~1\clamwin\bin\clamscan.exe --database=c:\rfxndb -r --infected --max-filesize=2M --log=c:\rfxnscan.log %plesk_vhosts%Do not underestimate your customer's ignorance as though you may tell them to NOT re-use their old compromised passwords, they may not take you seriously or someone else within their organization who hasn't been made aware will restore the old credentials. For this reason I have renamed or chmodded the get_password.php to be unreadable in case someone within the customer's entourage can't login because of the password change, goes through the "Forgot your Password" procedure and puts back his old password. This forces them to call your technical support department instead. What I really want to do is replace get_password.php with a more polite page asking to contact us for password problems, when I have the time.
I had a customer restore his old password RIGHT IN THE MIDDLE OF A BOT SCAN and his site was compromised less than two hours later!
S
Squeeb
Guest
Lol, excellent post scooby.
I've used R-fx network's stuff before, (apf + bfd) and found then quite reliable so I will give that idea a go.
Excellent suggestion on the forgotten password thing too.
Regards,
Chris
I've used R-fx network's stuff before, (apf + bfd) and found then quite reliable so I will give that idea a go.
Excellent suggestion on the forgotten password thing too.
Regards,
Chris
Let me know how it turns out for you. A colleague of mine ran this for the first time and he nearly had a heart attack once he realized that what he considered to be a relatively clean server had dozens of PHP Shells, IRC bots, malware droppers and iFrame linkspam in many sites. This tool can be quite an eye-opener.
Hey Mate, after running the update, when I login to plesk and search for a domain and click on it, I am presented with a white page with the toolbar down the left.
Other areas seem fine but I can't get into the domain page to add/edit emails, etc.
Any ideas?
Running Plesk 8.1 and JUST applied http://kb.parallels.com/en/114378
Was working fine before that.
Here is the error I get when I enable display_errors.
Fatal error: Cannot redeclare hardquota_enabled() in /usr/local/psa/admin/plib/class.SysUser.php on line 933
Please help, I can't manage/modify/add/remove ANY domains on this server at the moment.
Cheers.
Last edited:
Did you see any suspicious activity in the Plesk Action Log?
