URGENT help, somebody is breaking into my computer

[andrey@]

Originally posted by jerry2
Thanx. I will do that.

I have now closed Plesk and Remote Desktop in firewall for all but my IP. Can the IP be spoofed? So that somebody can mask as my IP? He seems to be gone for this moment.

It's possible, but almost unreal.

 

[jerry2]

Well, he may know my IP by now.

But anyway, just to clear things up. On windows 2003 server if I close Remote Admin on my IP and Plesk on my IP and leave only FTp and www ports open, the chance of someone getting in is still possible? I mean without Remote Desktop and Telnet closed, how can one log in anyway?

 

[henry@]

Jerry2,

There is no way to 100% secure your server. There is always a chance that your machine will be hacked.Of course making it harder for someone to hack in to your system by disabling some services and close as many ports as possible will lower the chance of getting hacked. Plesk is a very good CP and its core technology is very secure and stable.

Thanks
Henryk

 

[jerry2]

I have no idea how he got in. I had only Plesk installed :-( I had no viruses.

I know nothing is 100%, but blocking Remote Desktop connection and Plesk to a static IP is a very good idea or a good hacker doesn't mind?

 

[henry@]

that's right. There are aslo different remote applications available to rdc your server. Please research the Internet for it so you can go ahead and totaly turn OFF your windows RDC connections.

I will look for some good for you and will let you know

 

[jerry2]

Eghh, I have another problem now. My key didn't update today, it is said to be invalid. I don't have a keyfile on my server because it is a hosting company keyfile. But I had backups made in Plesk that include keys I guess and a sniffer on my system. Could it been my key has been stolen? What to do in this case?

Yours

Jerry :-(

 

[andrey@]

You may try to restore only system settings from Plesk backup, this operation restores Plesk key.

 

[jerry2]

Thanx. THe key seems to be invalid now...

I wonder why there is no possibility to password protect Plesk backup...

 

[andrey@]

Ask sales before, they can help you https://www.swsoft.com/support/online_sales/form/

 

[jerry2]

I did yesterday, no response.

 

[resellertr]

I have been seeing this problem for one year. If you don't block RDP connection to server you will be compromised every time.

I think there is a problem with Plesk. I saw different version of plesk server compromised.

 

[resellertr]

Originally posted by andrey
1) turn off all network adapters
2) close all network ports except really needed for you in firewall
3) change administrative password for all users in Administrative group
4) remove
4.1) on 64bit machine HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PLESK\PSA Config\Config\papswd
4.1) on 32bit machine HKEY_LOCAL_MACHINE\SOFTWARE\PLESK\PSA Config\Config\papswd
5) remove all unrequired users from Remote Desctop Users group
6) remove all accounts from Administrative Tools\Local Security Policy\User Rights Assignment\Allow log on through Terminal Services, then add only self account to this privilege
7) run netstat -a -o and ore
7.1) put here output
7.2) close and move to some temporary folder all non Microsoft and non Plesk program from netstat output
8) restart Plesk services
9) remove all urequired applications and drivers
9) turn on all required network adapters
10) resrart your machine

Hi,

why do plesk use this registery value "papswd"? Is it plesk administratr account password?

 

[resellertr]

I found something interesting,

I am logging network connections, attacker first tried to connect port 8880 which is used by plesk. Maybe there is a Vulnerability on Plesk Agent.