Serious Security Problem

[beri]

Hello,

I am having a serious security problem. Plesk 7.5.6 and Windows fully patched.

Yesterday in all Domain vhosts httpdocs following files where replaced

default.asp
default.htm
index.asp
index.cfm
index.htm
index.html
index.php

The new files were directing to a hacker page.

I did not found any important hints in the log files, how this attack was done.

Can anyone help me finding a solutions how to determine the security problem. Or has anyone the same problem.

Thanks!

 

[badlyspawnedboy]

We are experiencing the same phenomenon on our Plesk 7.5.5 machine.

All of our sites 'defaced'. Unfortunately we have little clue.

Has anyone else seen things like this happen?

A full restore would fix the symptom but how can we fix the cause?

Where to look?

 

[beri]

I did some research today, but still having no idea whats going on.

According to zone-h.org the hacker did this mass defacement to about 900 sites the last ten days. 99% Windows Server 2003.

Help appreciated.

 

[Togy]

I had same problem. Problem comes with Plesks wrong user permissions. Plesk defined users with wrong permissions listed below :
psacln
psaadm
psaserv

psacln one of most important. This user makes attacker to comprimise server and download databases!!!
FSO "File System Object" is most known method for lamers. With FSO anyone can access domains hosted on server. Attacker can upload files on any domain etc.! Can takeover whole server too. FSO is normaly code tool for web developers but if user permissions is wrong on server then FSO is very dangerous. Removing FSO is easy but of course customers will not be happy with it because some functions will not work on server with ASP.
On command prompt or "Run" box do this :
regsvr32 -u scrrun.dll
then press enter.

Don't worry about FSO will no longer work. If you want to reload FSO do :
regsvr32 scrrun.dll
then FSO will be reloaded on server but remember security issue.

Somebody also recommends :
regsvr32 -u wshom.ocx

And never give "Everyone" permission on any folder!.
If you need to give write permissions for databases then right click "httpdocs" folder and click "modify" "Plesk IIS USR...." and click "Advanced" click "replace........." box, click "OK", "Yes" then "OK" again.

Better way apply that permission only on folder where .mdb databases located at or where write permissions needed.

Much better way is, apply that "IIS USR.." on domain "private" folder and give "modify" permissions and let know customer to upload his databases to private folder. Because any visitor may download .mdb database from "httpdocs" folder by explorer as its a web publish folder.

NOT : "virtual path" can not used within "private" folder, so "pyschal path" should used. "c:\inetpub\vhosts\domain\private" also code should points that is pyschal folder, no virtual.

Now lets talk about that fix security problem?
NOT realy!. Because wrong user permissions still there but as i told before FSO is most known method for attackers. Attacker still can comprimise system using another methods until plesk don't fix wrong permissions. For example; If you deny permissions for "psacln" user then some serious plesk functions will not work, mysql will not work. But that user makes server available to get hacked at anytime. Because this user also gives all domain users to access server system folders.

As you see real problem is not FSO but user permissions. If user permissions get fixed then FSO not dangerous.

Other hand this is serious Microsoft Windows's security problems. Because normaly not matter what permission you give that FSO is an ASP tool so users should not be able to access system directories and domains not belong to itself , of course that my opinion. Anyway, Microsoft won't ansver to this question if you asks them they says they don't give support for IIS, blah!

Plesk should check permission architecture and let us know how to fix it or publish a patch since its not easy for us to fix it.

PS : Do not anything with permissions if you don't know what you are doing!

Any help should be appreciated.

 

[JackL]

I think it was practical to check System log for MSFTPSVC warnings. Some servers periodically brute force attacked for ftp accounts

John S.G.

 

[Togy]

Any customer can attack server since FSO enabled on server. No need get brute force attack to do that. I hope this issue get fixed soon.