We Are Hacked Again!!!!!!!!!!!!!!!!!!!!!!!!!!!

[skripx]

I am not saying hackers get in through plesk that first guy in this thread did. actually our main servers are plesk and running strong for 3 years. Also we have plesk running our dns for all our netblocks. I would never use cpanel for our own servers but will for our customers because of the ease in fixing every day problems.

 

[Dmitry Frantsev]

TO MARKUS:

I have created two ticket for you where you can describe problems which you have with our software more exactly. I hope we will find a solution. Please check your e-mail and give us reply.

 

[atomicturtle]

Indeed, above all security is a process, it is not a product. You're only going to be as strong as the consistancy of your security program.

1) Secure <- all the things you do to lock a system/application down. Firewalls, IDS/IPS, patches, etc
2) Monitory <- your ability to detect/respond to threats.
3) Test <- Verify that your security policy is effective, and your ability to find threats to your security program before the badguys do
4) Improve <- your ability to improve your security program

 

[Limedrink]

I'd just like to point out the footer that comes along with emails submitted to Plesk support:

SUPPORT ESCALATION PROCEDURE

We stand behind our product.

If there are serious problems that are impacting your business and you are not getting help through normal channels, contact:

Pavel Malyavko
SWSoft Support Manager
+1-703-995-4157
[email protected]

Mr. Malyavko will escalate the problem to either the Director of Engineering, Director of Application Development, or the CEO.

I must agree: Plesk has been proven as one of the most stable and "just working" control panels. I used it flawlessly for years, and upgrades went great. Unfortunately, due to a very small flaw (that could have easily been fixed) in the upgrade to Plesk 8.0, it completely crashed my system. Keep in mind that I did wait about 3-4 months after the initial release to upgrade. I did end up getting it back up and working though after long hours of analysis.

In Markus' situation, I do believe there has definitely been a lack of competence in server management. It is up to the system administrator to secure the server and lock it down, and it's quite likely the attack could have been prevented. I recently tested my full-server backup on a fresh box, just to see if it worked, and there were problems with it that just as you described. I was able to resolve the problems on the server and get a fresh-working backup.

Just like security is a process, so is your disaster-recovery plan.

However, I can also agree that there are a few aspects that are extremely buggy and require more focus in development. Those being:

A) Pleskbackup/restore utility
B) Testing

Personally, I wouldn't care if Plesk stopped adding big new features to their control panel and decided to address more focus on operability, stability, and working on resolving bugs. To me, that's what I look for in a control panel. In reality, those are the most important factors in choosing any piece of software.

Simple rule -> when you run a server, you need a knowledgeable administrator to manage it, and that's what keeps people like me in a job. If Plesk locked down your system for you, they would have more complaints about software not working, or other related problems. Security is a customized implementation; you don't just install software to do it for you, it has to fit your working scheme.

Sometimes completely putting the blame on someone else and "It should have worked." isn't the greatest attitude to put towards disasters that are all something you could have avoided yourself. In my opinion, Plesk IS at fault for the backup problems, but not nearly as much as you are.


Limedrink.

 

[MarkDAE]

Originally posted by Limedrink I was able to resolve the problems on the server and get a fresh-working backup.

Care to explain how?

-

Nevertheless this control panel is advertised to be secure and stable.

But with all the problems involving upgrades most pleskadmins are hesitant to implement the upgrades and tend to wait a little before installing.

Also not everyone has a few test servers lying around. Even on a cloned box I got various results with the restore.

 

[Whistler]

Originally posted by MarkDAE
Nevertheless this control panel is advertised to be secure and stable.

But with all the problems involving upgrades most pleskadmins are hesitant to implement the upgrades and tend to wait a little before installing.

But please keep in mind - Plesk _IS_ secure - but Plesk only promise a secure Controlpanel - but this unfortunately makes many think that a secure Controlpanel = a secure server - which is a very wrong assumption.

I'm pretty sure the servers not normally hacked via Plesk software itself. And as a hoster you need to learn to distinguish between a secure server and a secure piece of software.

Again - like all other software on the server - Plesk itself is only a piece of software, just like MySQL, Apache, qmail etc. etc. Its a secure frontend to easy communicate with other server-software.

And I agree - I don't like the upgrade path either. I really think that security/bugfixes should be released seperate from feature releases, allowing customers more freedom to decide when to upgrade to new (and stable) feature releases - sadly this is not the way it works at present time.

 

[MarkDAE]

I do agree with you on some parts.

But a big problem is that upgrading some of the software components you manage with plesk break the panel Or suddenly management of the software you have upgraded isn't possible.

I miss a little feedback on the side of plesk in that area.

 

[atomicturtle]

This is the value that redhat/centos push. They do separate security/bug fixes from feature changes.

This is why I pushed so hard for the design change to an rpm based distribution back with 2.0. Originally when we developed plesk, the entire design was monolithic (and still is, for freebsd people). It was self contained, but put the pressure of maintaining an awful lot of software on us. By working with the vendors, rather than trying to copy them, we were able to take advantage of their maintenance and testing to make a better product. If a redhat update breaks PSA, then absolutely that is a bug in PSA.

 

[Limedrink]

Originally posted by MarkDAE
Care to explain how?

-

Nevertheless this control panel is advertised to be secure and stable.

But with all the problems involving upgrades most pleskadmins are hesitant to implement the upgrades and tend to wait a little before installing.

Also not everyone has a few test servers lying around. Even on a cloned box I got various results with the restore.

You can read exactly what I did here:

http://forum.swsoft.com/showthread.php?s=&threadid=37112

Any old P3/P4 box lying around with a decent size hard drive will work. I chose to start from a fresh install of Fedora 1 so I would know my results will be accurate.

I still haven't upgraded to Plesk 8.1 because I'm STILL hesitant. I think I'm going to find some time and eventually just do it.

 

[ikaros2]

Originally posted by atomicturtle
This is the value that redhat/centos push. They do separate security/bug fixes from feature changes.

This is why I pushed so hard for the design change to an rpm based distribution back with 2.0. Originally when we developed plesk, the entire design was monolithic (and still is, for freebsd people). It was self contained, but put the pressure of maintaining an awful lot of software on us. By working with the vendors, rather than trying to copy them, we were able to take advantage of their maintenance and testing to make a better product. If a redhat update breaks PSA, then absolutely that is a bug in PSA.

When you install Plesk on Fedora what happens with security updates released by the Fedora Project?
Does Plesk installs them automatically or should the admin do it manually?

 

[atomicturtle]

You still need to maintain your updates through yum, PSA for the most part is just going to update itself.

 

[ikaros2]

thanks atomicturtle.
Funny thing though, yum is not installed! Should I inform the company that provides me the VPS to do it or is there a way to install it myself? (i've got root)

 

[atomicturtle]

Yeah they do that a lot. What distro are you on? Ive been working on getting a check in the atomic installer to install yum if it isnt there. I just need to know the specifics on each distro for what packages it needs to resolve the dependencies for it.

 

[ikaros2]

Fedora Core 5

 

[atomicturtle]

OK when you find out all the dependencies you need for that distro, let me know. I'll add that into my installer.

 

[ikaros2]

ok, I'll check it out ASAP (that means in a few days)

 

[dasmo]

I've got 5000 domains running across 7 servers. Most trouble I've had with hacks is people having exploitable software running on the machine (zencart and phpbb, I'm looking at you). ModSecurity solves this before it becomes a problem. I learnt this in the early days.


Running a server (or servers) isn't about blaming people. It's about looking for solutions when you don't even have problems. It's about fixing things before they can cause you trouble. Perhaps you need to be paying someone to look after your server, or learning more about the systems you're supposed to be managing.

 

[execubob]

We thought we did everything right by hiring a 'highly recommended' server support company to do a complete server hardening. We then got hacked within a month.
Had to rebuild the server.
Don't know where the blame might be, but that's why I pay for offsite back up.

 

[danliker]

what does your "highly recommended' server support company" say to this situation ?

 

[macarlo]

About Plesk performance

Hi. I'm using Plesk since it's first version and I never was hacked. There is my report on Plesk:

http:////macarlohost.net/plesk811.html

PhRozen 4LifE...