• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Changes to suexec?

E

Eric Pretorious

Regular Pleskian
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/ said:
The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis... We also recommend using... `rpm –verify` for RPM based systems, to verify the integrity of your Apache web server package installation.
Click to expand...
While searching for the Linux/CDorked.A exploit, I discovered that the suexec binary has been modified:
Code: 
[root@www httpd]# rpm -V httpd
S.5....T.  c /etc/httpd/conf/httpd.conf
S.5....T.    /usr/sbin/suexec

[root@www httpd]# for x in `rpm -ql httpd | grep sbin` ; do ls -al $x ; done
-rwxr-xr-x 1 root root 3916 Feb 22 11:19 /usr/sbin/apachectl
-rwxr-xr-x 1 root root 19984 Feb 22 11:21 /usr/sbin/htcacheclean
-rwxr-xr-x 1 root root 354816 Feb 22 11:21 /usr/sbin/httpd
-rwxr-xr-x 1 root root 368168 Feb 22 11:21 /usr/sbin/httpd.event
-rwxr-xr-x 1 root root 367240 Feb 22 11:21 /usr/sbin/httpd.worker
-rwxr-xr-x 1 root root 11192 Feb 22 11:21 /usr/sbin/httxt2dbm
-rwxr-xr-x 1 root root 16744 Feb 22 11:21 /usr/sbin/rotatelogs
-r-s--x--- 1 root apache 24128 May  3 04:00 /usr/sbin/suexec
Could this be the result of a PP microupdate or is this an exploit? I only ask because PP touches/modifies so many parts of the host system...
 
Faris Raouf said:
I'm 99.9% certain that of the latest MUs updates it.
Click to expand...

Yeah, I kind'a figured when I found this:
Code: 
[root@www rocket-powered.com]# strings /usr/sbin/suexec | grep -i sw
sw-cp-server

[root@www rocket-powered.com]# strings /usr/sbin/suexec | grep -i psa
psaserv
psaadm
_MIN_POSSIBLE_PSA_CONF_VAR_NAME
_MAX_POSSIBLE_PSA_CONF_VAR_NAME
_MIN_POSSIBLE_PSA_CONF_VAR_VALUE
_MAX_POSSIBLE_PSA_CONF_VAR_VALUE
/etc/psa/psa.conf
/usr/local/psa/bin/php-cli
/var/lib/psa/dumps
/usr/local/psa

Faris Raouf said:
It would be sensible to make a copy of it though.
Click to expand...

That's a great idea, Faris!

Thanks.
 
You must log in or register to reply here.

Similar threads

M
Issue Scheduled backups
Replies
16
Views
2K
Manija
M
V
Resolved Roundcube config.local.php not read
Replies
3
Views
831
Visnet
V
Franco
Resolved CentOs2Alma conversion failed - disk space?
Replies
7
Views
2K
Bitpalast
Bitpalast
Oscar Segura
Issue Upgrading from Ubuntu 20.04 to 22.04: failed reboot
Replies
0
Views
3K
Oscar Segura
Oscar Segura
flederwiesel
Question `SSLVerifyClient require` -> AH10158: cannot perform post-handshake authentication
Replies
0
Views
730
flederwiesel
flederwiesel
Back
Top