• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Server hacked

Status
Not open for further replies.
P

parisioa

Guest
My plesk server was hacked, and i now have several problems.

My admin password was changed apparently (i cant get in using it, and i know what it is/was)

Whenever you try and go to any site hosted on this server, you get prompted for login credentials, plesk reconfigurator couldn't fix this. I tried changing the PW on the account and using that in IIS but it didnt work so i have all my sites inaccessible.

Finally, the mailenable exploit was used, and it was running an SMTP Relay server, i noticed this, and disabled that service but i can't get the first 2 problems fixed.
 
Thanks, that worked for the iis login problems.

i fixed the plesk admin account, somebody had hacked and changed that password.

my firewall was tracking 6000 concurrent TCP connections from this box, all dport=110
 
Originally posted by parisioa
in my transparent firewall,
cat /proc/net/ip_conntrac | wc -l
Click to expand...

Post seems to be for a linux version of plesk.
 
Originally posted by 3dguru
Post seems to be for a linux version of plesk.
Click to expand...
i have a transparent ethernet bridge/firewall in front of an entire rack of hardware including windows plesk installations, pure IIS webservers, mail servers, etc.

edit: the transparent firewall is a home built debian box.
 
Originally posted by parisioa
i have a transparent ethernet bridge/firewall in front of an entire rack of hardware including windows plesk installations, pure IIS webservers, mail servers, etc.

edit: the transparent firewall is a home built debian box.
Click to expand...

If you find out how it is hacked, please let me and support know.

If it is a plesk or they penetrate using another hole...
 
Originally posted by 3dguru
If you find out how it is hacked, please let me and support know.

If it is a plesk or they penetrate using another hole...
Click to expand...

it was definitely a mailenable hack, i had the MailEnable SMTP Relay Agent service (or whatever it was that was in c\windows\), there was also a serv-u daemon installed which i nuked, but it was useless to the hackers b/c the transparent firewall would have kept them from being able to use it for anything (only a select number of ports are opened, and there is no way anybody could access that firewall)
 
Status
Not open for further replies.

Similar threads

S
Resolved Problems with sw-engine
Replies
5
Views
6K
jopple
J
S
Question Cache is growing. Server is no longer accessible.
Replies
4
Views
2K
straddi
S
T
Resolved PayPal unable to reach server
Replies
4
Views
855
trippy
T
q-quan
E-mail messages not delivered to external server even when local postoffice is disabled
Replies
4
Views
3K
q-quan
q-quan
K
Resolved Send detailed error to client-side for 500 errors with ASP.NET
Replies
1
Views
6K
kelmore5
K
Back
Top