Server hacked

[parisioa]

My plesk server was hacked, and i now have several problems.

My admin password was changed apparently (i cant get in using it, and i know what it is/was)

Whenever you try and go to any site hosted on this server, you get prompted for login credentials, plesk reconfigurator couldn't fix this. I tried changing the PW on the account and using that in IIS but it didnt work so i have all my sites inaccessible.

Finally, the mailenable exploit was used, and it was running an SMTP Relay server, i noticed this, and disabled that service but i can't get the first 2 problems fixed.

 

[mattd2173]

You can try following this thread:

http://forum.swsoft.com/showthread.php?s=&threadid=41317

 

[parisioa]

Thanks, that worked for the iis login problems.

i fixed the plesk admin account, somebody had hacked and changed that password.

my firewall was tracking 6000 concurrent TCP connections from this box, all dport=110

 

[supra2800@]

Originally posted by parisioa

my firewall was tracking 6000 concurrent TCP connections from this box, all dport=110

How/where do you see that ?

 

[parisioa]

Originally posted by supra2800
How/where do you see that ?

in my transparent firewall,
cat /proc/net/ip_conntrac | wc -l

 

[3dguru]

Originally posted by parisioa
in my transparent firewall,
cat /proc/net/ip_conntrac | wc -l

Post seems to be for a linux version of plesk.

 

[parisioa]

Originally posted by 3dguru
Post seems to be for a linux version of plesk.

i have a transparent ethernet bridge/firewall in front of an entire rack of hardware including windows plesk installations, pure IIS webservers, mail servers, etc.

edit: the transparent firewall is a home built debian box.

 

[3dguru]

Originally posted by parisioa
i have a transparent ethernet bridge/firewall in front of an entire rack of hardware including windows plesk installations, pure IIS webservers, mail servers, etc.

edit: the transparent firewall is a home built debian box.

If you find out how it is hacked, please let me and support know.

If it is a plesk or they penetrate using another hole...

 

[parisioa]

Originally posted by 3dguru
If you find out how it is hacked, please let me and support know.

If it is a plesk or they penetrate using another hole...

it was definitely a mailenable hack, i had the MailEnable SMTP Relay Agent service (or whatever it was that was in c\windows\), there was also a serv-u daemon installed which i nuked, but it was useless to the hackers b/c the transparent firewall would have kept them from being able to use it for anything (only a select number of ports are opened, and there is no way anybody could access that firewall)

 

[OlegB]

Please take a look at
http://forum.swsoft.com/showthread.php?s=&threadid=41371