• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue System hacked - help

PeterCardiff

PeterCardiff

New Pleskian
Hi,

This is my first post so hello to everyone.
We've been recently hacked thru the I believed support portal which allowed people to attached the files.
Soon after the server was trying to send lots of the spam close to 40k in a 2 days time- most of the where blocked as we got limit set to 100 per hour for sending emails.
The spam was coming from php script which was hidden in one of the main website folder.
We have noticed that all the index.html files on the main page have been replaced with index.php files.
So I removed all the files website and replaced with the old local back up.
I have also changed the password for the root access.
However, after 1 day the files on the website has been replaced again.
Today I have also changed the password for ftp user and I am going to set only one specific static IP for SSH access.

Please see attached warnings from rkhunter/calmav

Thanks in advance for your help.
Pete
 

Attachments

  • rkhunter-report.pdf
    336.9 KB · Views: 6
See all the warning below

[08:37:00] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[08:37:00] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]

[08:37:02] Checking for enabled xinetd services [ Warning ]
[08:37:02] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[08:37:02] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa

[08:37:14] Checking for hidden files and directories [ Warning ]
[08:37:14] Warning: Hidden directory found: /dev/.mdadm
[08:37:14] Warning: Hidden directory found: /dev/.udev
[08:37:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/sbin/.sendmail.postfix-wrapper.swp: Vim swap file, version 7.4
[08:37:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text

[08:37:16] Checking version of Apache [ Warning ]
[08:37:16] Warning: Application 'httpd', version '2.2.15', is out of date, and possibly a security risk.
 
Also, I do get "Apache memory usage" warnings that the server is taking too much memory over 1.2 GB where normally it was around 600Mb
 
I am having trouble to understand what you are asking for. Could you please form specific questions?
 
I am sorry Peter I was typing in rush,

I am looking for ideas how to fix a hacked server?

Are these hidden files are correct?


[08:37:14] Checking for hidden files and directories [ Warning ]
[08:37:14] Warning: Hidden directory found: /dev/.mdadm
[08:37:14] Warning: Hidden directory found: /dev/.udev
[08:37:14] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5identity.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/share/man/man5/.k5login.5.gz: gzip compressed data, from Unix, max compression
[08:37:14] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[08:37:14] Warning: Hidden file found: /usr/sbin/.sendmail.postfix-wrapper.swp: Vim swap file, version 7.4
[08:37:14] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
 
Why I've got warning msg for following lines?

[08:37:00] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[08:37:00] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
 
I don't see any issues with that.
Please refer to http://www.sys-admin.gr/232/plesk/rkhunter-and-plesk-xinetd-services/ for details.

If your subscriptions have SSH access without chroot, I suggest to reinstall the complete server from scratch, because a smart hacker can then have moved software onto the system that you'll never find. If your subscriptions are all chrooted or do not provide SSH access, you should be o.k.

Make sure that your /tmp directory (or partition) does not have exec permissions, else it can be possible to start software from there.

It is not enough to replace a hacked website with a backup. You must find the security holes and close them. Normally, plugins to software like Joomla or Wordpress provide access to hackers.
 
Thanks Peter,

The subscriber/user didn't have access to SSH , so should I be alright then?

I found trojans on tmp files (on root folder and var/tmp), however I cannot disable the exec permissions as I couldn't login to the Plesk webpage.
At the moment I removed all files from the main domain and scanning the system via calmav and removing any other infected files.
 
I know which website has been cracked - We were hosting the Support Ticketing Portal which allowed users to upload files/attched files eg screen-shoot. However, someone uploaded the trojan and then took control of the domain.
 
Hello:

Just wondering if you resolved this issue? And if so how?

I have the same hack on my Plesk server, started in Jan/Feb this year - a vendor trying to send me an email noticed that Gmail was blocking email being directed to my Gmail account, the hacker scripts had been sending out 10's of 1,000's email - other mail services have blocked email.

The data center where I am located was of little help except that one support admin noticed something written in Estonian - also same advice as above to abandon the server.

Going through the web sites via FTP was able to see several files that had been uploaded which I would either delete or rename. Also had the same issue with doing a fix and then it would come back! An attempt to stop this: I removed the write permissions on index.html - also check the .htaccess files...

The info about the /tmp directory is new to me, I have attached a link screen shot of that from my server.
http://www.hostprodirect.com/tmp_screenshot.jpg

Thanks!

- Dave
 
You must log in or register to reply here.

Similar threads

C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
503
Change Maker
C
datea.services
Question Attempts to exceed outgoing limits: log of mails not sent
Replies
4
Views
1K
Peter Debik
P
W
Issue Need help - all emails goes to spam
Replies
5
Views
2K
mow
M
B
Question Virus Alert notification email
Replies
4
Views
2K
BobK
B
L
Issue ( authorization token is unavailable ) Could not issue/renew Let`s Encrypt certificates
Replies
7
Views
348
Leta
L
Back
Top