Security problem with filemng

Discussion in 'Parallels Plesk Panel 9.x for Linux Problems, Suggested Fixes, and How-To' started by galaxy, Jul 2, 2012.

  1. Schlatter

    Schlatter New Member

    Messages:
    1
    Hello

    i have the same issue.

    logfile:
    xxx domain.com:8443 - [09/Jul/2012:03:25:26 +0200] "GET /plesk/client@72/domain@122/hosting/file-manager/ HTTP/1.1" 303 0 "https://domain.com:8443/plesk/client@72/domain@122/hosting/file-manager/edit/?cmd=chdir&file=/httpdoc
    s/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/15.0.1084.56 Safari/546.5"

    plesk 9.5.2
  2. markytx

    markytx New Member

    Messages:
    22
    I've changed my admin password.

    IgorG: I use PBAS. If I change the user's passwords, won't that break the connection to PBAS?
  3. pstechnology

    pstechnology New Member

    Messages:
    47
    Hi. How did you identify which client account was being used?
    Thanks
  4. pstechnology

    pstechnology New Member

    Messages:
    47
  5. Squeeb

    Squeeb New Member

    Messages:
    18
    /var/log/audit/audit.log and /var/log/secure.log.* are your friends.

    You'll have to convert from unix epoch to human readable time on audit.log.

    You can marry up the user authenticating via the plesk admin panel with the users present in either of those log files by using the timestamp.
    That'll let you know which user was compromised.

    However, the only way to be sure an attacker cannot repeat the hack using a different username / password combination is to change all the unix user passwords, so that would be site / hosting users etc..

    I wouldn't imagine mail users would have this issue as they are virtual users and not unix users.
  6. markytx

    markytx New Member

    Messages:
    22
    I've changed only my admin password for now, and emptied the session table. Waiting to see it it happens again.

    Note that on Windows the SQL or MySQL password is really hard to find.

    I also have the complication of PBAS and Expand that prevents me from upgrading my Plesk installs.
  7. markytx

    markytx New Member

    Messages:
    22
  8. sergius

    sergius Parallels Team

    Messages:
    1,911
    Unfortunately, option 2 is highly probable.

    I guess, hackers grabbed Plesk databases and then suspended their violent activity about 2-2.5 months ago in order to lull Plesk owners' vigilance.
    Now we are observing new round of the exploit that is based on the grabbed Plesk databases.

    Please follow "Best Practices" from http://kb.parallels.com/113321.

    Sorry for the inconvenience.
  9. GopalakrishnanA

    GopalakrishnanA New Member

    Messages:
    2
    Our development team created small executable to remove the script virus pattern from .htm, .html, .php, .asp, .css for windows based plesk control panel websites. We will provide the link soon for all plesk cp users.
  10. galaxy

    galaxy New Member

    Messages:
    175
    I'll have to say that "Option 2" is unlikely, *not* highly probable.

    We had changed all the passwords as per the KB, and in less than 24 hours they were back in again with the new passwords. They hacked Plesk again using all the newly generated passwords.
  11. rbstern

    rbstern New Member

    Messages:
    16
    Did you delete all of the current sessions before changing the passwords?
  12. galaxy

    galaxy New Member

    Messages:
    175
    The server was rebooted before and after (to assure it was clean).

    Also, the PBAS server was rebooted...
    Last edited: Jul 10, 2012
  13. rbstern

    rbstern New Member

    Messages:
    16
    I don't know enough about Plesk's inner workings to know if a reboot clears the sessions table.
  14. galaxy

    galaxy New Member

    Messages:
    175
    Just restarting plesk is enough. Rebooting is overkill, but you know you have a clean webserver and other services as well, and the caches are cleared. Try it yourself (before and after checking active sessions).
  15. sergius

    sergius Parallels Team

    Messages:
    1,911
    Hello, galaxy. Could you, please, provide a bit more information? How have you discovered "they hacked"?
    Have you found new infected files? Have you explored log files for operations with infected files? How long "they hacked" your server after you change passwords and clean up sessions? Is this possible someone (your client) changed passwords back? We'd be grateful you to give us as much information as possible about what's happened.
    You should understand that we can fix the issue with your assistance only. Thanks.
    Last edited: Jul 12, 2012
  16. DaveW_IRE

    DaveW_IRE New Member

    Messages:
    6
    Just got cleared up. As the parallels guys are saying, they harvested the psa databases for passwords before the patch was released. So back in febuary, when the patch was released was the time to change all the passwords on ALL your servers running Plesk. On a couple of our boxes we didnt see any suspicious entries in the logs so we assumed that those servers were safe enough. We were wrong, they uploaded their scripts, but luckily we found them quickly and dealt with the situation.

    What we really need to know is does anyone have the logs from the initial harvest of passwords, did they take the complete database or just plesk and ftp passwords, do we need to change email passwords aswell if we are running mail on the same servers?

    Can we look forward to the plesk agent API being locked down in 9.x?
  17. wiseguy

    wiseguy New Member

    Messages:
    3
    How do you monitor login attempts via sw-cp-serverd? I want to see logs of the login attempts (which hopefully fail now after the password changes) before I can be certain that the patch fixed the security issue.
  18. GopalakrishnanA

    GopalakrishnanA New Member

    Messages:
    2
    Jsvirusfixer - download link

    You can download the the virus fixer executable for windows plesk servers from below link jsvirusfixer
  19. yalti

    yalti New Member

    Messages:
    5
    Thanks for great script
  20. MartinSIT

    MartinSIT New Member

    Messages:
    7
    Same here,

    had the break in at february, installed patch and cleaned the system.

    on 9.7 and 10.7 however, there were successfully break ins.

    they modified the files and placed the maleware java script.
    however, i couldn't find any ftp logins? so can anyone tell me
    how they modified the files without using ftp?
    on some of the webpages there are even dynamic php scripts
    which could be used to place code in files...

    thanks

Share This Page