Hi,
even though my server is protected with ASL i get injected the following (partial) code in index.php or index.html of the shared sites:
...script... *km0ae9gr6m*/window.eval(String.fromCharCode(116,114..... lot of numbers.... /*qhk6sa6g1c*/... /script ...

i guess they try to inject all the sites hosted on the same IP since only a certain IP is affected but not shared sites on other IPs of the server. on some sites if the index.htm is not present, the index.htm is created with the following content:

cat: /var/www/vhosts/SITENAME/httpdocs/index.htm: No such file or directory
filemng: Error occured during /bin/cat command. ...script... /*km0ae9gr6m*/window.eval(String.from....and the same code follows (please note that I have removed < for secutiy reasons here)

I have some thing turned off in ASL because of some script's needs - what could have caused this security breach?

thanks

Jan

Do you have the real time malware protection enabled? It definitely detected this type of malware, and stop its.

https://www.atomicorp.com/wiki/index.php/Anti_virus

Hi,
thanks for the answer. Just a question though. Do I have to load your kernel for this. After instalation of the script (quite some time ago) and configuration of asl kernel - after reboot the server onl recognised one CPU (on a multi proc multi core machine) - the host said it booted in some weird kernel that doesn't support multiple CPU (i found that curious but simply disabled ASL kernel). SO no I am a bit affraid that the same thing would happen if I try it again.

can the daizuko be loaded without ASL kernel?

No, dazuko requires a kernel that supports it. If your kernel does not already have this, then you can not use it.

We don't have any non-SMP kernels. You can tell if a kernel is built with SMP support by running this command:

grep _SMP /boot/config*

If you see this:

CONFIG_X86_64_SMP=y
CONFIG_SMP=y

Example:

config-2.6.32.59-22.art.x86_64:CONFIG_X86_64_SMP=y
config-2.6.32.59-22.art.x86_64:CONFIG_SMP=y

If you see that, its built SMP. So if the box comes up without multiple CPUs (or cores more likely), and its an SMP kernel, then its not the kernel thats doing that its something to do with the hardware, virtualization solution or a BIOS setting which can disable cores and SMP altogether. Some broken RAID controllers may force the BIOS into non-SMP mode, and some virtualization products will restrict virtual machines to single cores.

If you are sure it actually came up with only one core, and you were running one of our kernels, then you either have a serious hardware problem or if you are on a virtualization platform your hosting provider is restricting your cores. If its a dedicated box, I'd switch systems soon, something is very wrong with it if its supposed to be multi-core and its not showing multi-cores on an SMP kernel.

additionaly to enabling antivirus dazuko some infos for you:

this code is injected due to the vulnerability from February in Plesk.
Plesk Micro Updates are available for that.
But even if you had patched it back in February there was the possiblity that the bad guys dumped your databse with all passwords from Plesk already.
Than you have to change all passwords. Plesk provides a mass password change Script.
Infos are here:

http://kb.parallels.com/113321
http://kb.parallels.com/114330
http://kb.parallels.com/en/114379

ASL of course can't protect you from people logging in via the correct password.

Hi, thanks for the plesk info and the kernel.
About the kernel, I have a box with multi core multi cpu (and now all works fine), but after asl install (and first reboot couple of months later) it booted into a wrong kernel and it has shown only one cpu after that. The guys fixed it and booted the right kernel (I have the data about the wrong one lying somewhere) and as I said now it works fine since then (3-4 months). Anyway, the current outcome of the command is:
/boot/config-2.6.9-67.EL:CONFIG_BROKEN_ON_SMP=y
/boot/config-2.6.9-67.EL:# CONFIG_SMP is not set
/boot/config-2.6.9-67.EL:CONFIG_X86_FIND_SMP_CONFIG=y
/boot/config-2.6.9-67.ELsmp:CONFIG_SMP=y
/boot/config-2.6.9-67.ELsmp:CONFIG_X86_FIND_SMP_CONFIG=y
/boot/config-2.6.9-67.ELsmp:CONFIG_X86_SMP=y
/boot/config-2.6.9-89.0.9.EL:CONFIG_BROKEN_ON_SMP=y
/boot/config-2.6.9-89.0.9.EL:# CONFIG_SMP is not set
/boot/config-2.6.9-89.0.9.EL:CONFIG_X86_FIND_SMP_CONFIG=y
/boot/config-2.6.9-89.0.9.ELsmp:CONFIG_SMP=y
/boot/config-2.6.9-89.0.9.ELsmp:CONFIG_X86_FIND_SMP_CONFIG=y
/boot/config-2.6.9-89.0.9.ELsmp:CONFIG_X86_SMP=y


I guess it supports smp and can install dazuko?

thanks again

No. You dont have any ASL kernels installed, so you cant use dazuko. Your kernels are also pretty old too, they also do not support dazuko natively, so aside from getting a new kernel on there that does support dazuko, you'd also benefit from the speed improvements in the newer kernels too.

From the data you sent, you do have two non-ASL non-SMP kernels installed:

/boot/config-2.6.9-67.EL
/boot/config-2.6.9-89.0.9.EL

So maybe thats what your system booted into? Like I said early we dont have any non-SMP kernels, and you do have non-SMP kernels on your system so that would seem reasonable to me to assume it was one of those you booted into and not an ASL kernel.

As I said early, I dont see an ASL kernel installed on your system. None of those kernels you listed are ASL kernels. Are you sure you had the ASL kernel installed? Its not installed on your system according to the information you sent.

If you want to install the ASL kernel, please see this documentation page:

https://www.atomicorp.com/wiki/index.php/Kernel

Hi,

I've just had a client have this happen to him, odd thing is it is the second domain it has happened to, and both domains belong to him and both domains are on completely different IPs.

Needless to say I've asked him to run an in-depth virus scan, as I believe his machine may have been compromised and possibly causing this issue, especially as no-other domains on either of the IP address or server have been effected. I also don't believe it is a result of the recent Plesk vulnerability, as I patched my Plesk install (8.6) the very day it was announced. Also the logs for the clients domains don't show any FTP activity on that day or within a 3 day window either before or after, so how it happened is a mystery to me.

I'm running the latest ASL install and updates, so how can I check if dazuko is active and installed?

That 'km0ae9gr6m' string is mentioned on http://kb.parallels.com/en/114396

Sounds like your password database was stolen using that Plesk vulnerability. You might want to consider doing a mass password reset.

you have to do these things to install dazuko:
https://www.atomicorp.com/wiki/index.php/Anti_virus

first step to check if someone used the vulnerability I would check the logfile under:
/usr/local/psa/admin/logs/httpsd_access_log

look for entries with "file-manager" in it.
Those are file changes done over a correct login via filemanager function.
more details in the links from the posts above.

I've locked the 8443 port down to just 3 IP addresses this afternoon.

So do I have to reset all passwords including email and ftp for all 30 domains that I host?

I presume this means that Plesk was slack in its security, and left plain text passwords in the database, or is it something else?

if you are sure that you were hacked over this vulnerability I would do it.
Otherwise you will become a spammer quite quickly. Because they will start to send mail from your server with a correct login.
so all passwords should be changed.

Changing passwords might not even be enough. Changing a password won't clean up any malware that has already been planted.

breun is right, you have to do a lot of things. disable plesk login is good first step.
you need to check where code was injected and remove it, chekc if new users were created,
patch plesk,change passwords, scan for malware, etc.

The thing is it has only happened on 2 domains, and as I said both where own by the same guy.

The index files that where changed where dated 12th July and the first one was mid June.

I suspect that possibly I haven't been effected, and that it is a case of his machine had malware, especially as the logs (as suggested earlier) show no indications, and I've checked all the other sites index and htaccess files, and none of these are showing any signs of malware.

I'll change the Plesk admin login, and my own sites details of course (FTP and email), and I've already turned off control panel access for clients, as the majority of my clients don't use it anyway. I'll also install dazuko as that seems to be a recommend cause of action, and will help highlight any further intrusions. But to be fare I'm not a linux guru, so getting dazuko setup and configured properly is going to be fun.

I'll continue to monitor the situation, and make a mass password change only if further signs pop-up.