1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Server Hacked Into

Discussion in 'Plesk 9.x for Linux Issues, Fixes, How-To' started by TimGC, Jan 13, 2011.

  1. TimGC

    TimGC Guest

    I have a Plesk (9.5.4) VPS at a major hosting company. A couple of weeks ago I noticed that email was running slowly so I logged in and checked the server. Someone had created multiple email addresses under different domain names and was relaying spam through those accounts. I deleted the accounts/queued messages and called my hosting company. They recommended that I change all of my passwords and reboot the server. I changed all my passwords on that server as well as for my mail email accounts. I also restricted domain admin access.

    A week later the same thing happened. My hosting company said that the plesk logs show that the email accounts were created through the admin panel website so the "hacker" must have gotten the password from my "pc". They said that I probably have malware on my "pc".

    That all sounds reasonable except for the fact that I don't think that it's likely that someone got into my local computer. I'm on a new Mac, double firewalled running the latest software. I'm the only one with access to it and it's password protected. There are only a few applications on it and I doubt Adobe has malware in it. I don't download free internet apps and I'm not on a wireless network. There is no place where malware could have been introduced unless the OS is completely vulnerable at install, which I know it's not.

    But, just in case, I spent an entire day making sure my computer was not compromised. I bought and ran the two most popular mac spyware/malware/virus programs, nothing. I checked all processes and network connections, nothing. I was barely even able to find any threats for my OS. It's not that popular so hackers don't write stuff for it, yet.

    But, probably the most telling thing that makes me think that my local computer was not compromised is the fact that the password storage file I have on my local computer has logins for dozens of other servers, bank accounts, paypal/google checkout and even other VPS servers at this same hosting company. I think it's pretty unlikely that someone hacked into my local, firewalled computer and stole all my passwords and then targeted one empty server, twice.

    I think it's far more likely that my public web server, running an out of date version of plesk, was hacked into and my hosting company is utilizing the "blame the customer since we can't find the problem" support response. I would assume that Plesk was never properly secured or a vulnerability was introduced by them, me or one of my customers.

    Anyway, they said that they ran "run chkrootkit, rootcheck, and rkhunter" and have not found anything and that the hacker definitely mist have gotten the password off of my computer. BS.

    Any thoughts, suggestions? Other that the obvious one... go to a better hosting company.
    Last edited by a moderator: Jan 13, 2011
  2. Hostasaurus.Com

    Hostasaurus.Com Regular Pleskian

    Oct 8, 2009
    Likes Received:
    If there is data in your password file from other vps servers with the same host, then it's they who have been hacked, not your computer. Did you copy that data and send it to them and ask for an explanation?
  3. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC
    obviously without all the details its hard to say exactly what happened here, are you keeping up with the latest updates from the vendor channels? There have been critical updates from both plesk and the vendors lately. The proftpd exploit from october comes to mind.

    Another method would be compromising one of your users accounts, and then using a local exploit to escalate privileges to the root account. There are constantly evolving threats on this vector that the OS vendors do a pretty good job staying on top of, keeping up with their updates is generally going to keep this one manageable. After that, shell users would be what I'd look at, followed by CGI / FCGI accounts. FTP logs might be helpful here, provided the attacker did not tamper with them.

    I don't want to bash your hosting company here, forensics work is really really hard. You play a lot of hunches and generally cant trust anything a potentially compromised OS tells you. It requires vast experience across many disciplines and folks with those skills are very rare and very expensive. Even as an expert unless I'm extraordinarily lucky an investigation takes days or weeks (sometimes months!) to really get to the bottom of exactly what happened.

    Anyway, poke around a bit and feel free to post your new details here. I'd be happy to help review them for you.
  4. TimGC

    TimGC Guest

    Thanks for your reply. It took me a couple of reads to get what you are saying and I realized that I wasn't clear in the password file part of my post. The file I was referring to was the one on my computer. My point was that if the hacker was on my computer they would have done more damage than they did.
  5. TimGC

    TimGC Guest

    Interesting. I'm going to go through some logs myself and google those exploits that you mentioned. I have not kept up with the updates (I assumed that the hosting company was, but there weren't) so I would bet that's a big part of the problem. Thanks for your reply!