Server hacked: control panel login doesn't function

[HMnet]

Hi @all!

I have a huge problem with my 1&1 RootStart - Plesk 8.1.
Yesterday the server was hacked, with my admin-password :-(

The hacker replaces all inxex.html, index.php and login.php files with his index.html with foreign data an he deleted all logfiles.

I managed it to restore the data of my customers, all systems are ok now.

But I can't login into Plesks Control Panel. I replaces the files in /usr/local/psa/admin/htdocs with the original files from Plesk, which ich had on another server. Now I get the error:
"The file login.php3 is part of Plesk distribution. It cannot be run outside of Plesk environment."

I tried to reinstall or to upgrade plesk by rpm-files. This doesn't function. I got many errors.

Had anyone another idea to solve this problem?

THX, HMnet

 

[breun]

You never know what else the hacker did with your machine (rootkits, backdoors, keylisteners, etc.). I'd say reimage and restore customer data from backups. That's the only way to be sure.

 

[HMnet]

Ok, you are right. That's what I have to do in a quiet minute.

But I thought I can quickly solve the problem, so I can manage the server again, until I can reimage the server.

Brand

 

[DCNet_James]

I'd also suggest a hefty firewall in front of your machines. I learned that lesson a long time ago. Also you may want to lock down the admin user's ability to login to the admin panel to specific subnets.

I only allow necessary ports through my firewall to my plesk servers.

TCP
FTP 20, 21
SSH - 22
SMTP - 25
DNS - 53
HTTP - 80
POP3 - 110
IMAP4 - 143
HTTPS - 443
Adminserv - 8443

Optional TCP
SMTPS - 465
SMTP Submission - 587
993, 995 for Secure POP and IMAP

UDP
DNS - 53

Also do not grant shell access to anyone by default. Its not necessary in most cases.

Thats just my thoughts. I've had my history of being hacked.

Daily backups and weekly imaging is always a good idea to!

Thanks,
James