• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Server hacked

Status
Not open for further replies.
P

parisioa

Guest
My plesk server was hacked, and i now have several problems.

My admin password was changed apparently (i cant get in using it, and i know what it is/was)

Whenever you try and go to any site hosted on this server, you get prompted for login credentials, plesk reconfigurator couldn't fix this. I tried changing the PW on the account and using that in IIS but it didnt work so i have all my sites inaccessible.

Finally, the mailenable exploit was used, and it was running an SMTP Relay server, i noticed this, and disabled that service but i can't get the first 2 problems fixed.
 
Thanks, that worked for the iis login problems.

i fixed the plesk admin account, somebody had hacked and changed that password.

my firewall was tracking 6000 concurrent TCP connections from this box, all dport=110
 
Originally posted by parisioa
in my transparent firewall,
cat /proc/net/ip_conntrac | wc -l
Click to expand...

Post seems to be for a linux version of plesk.
 
Originally posted by 3dguru
Post seems to be for a linux version of plesk.
Click to expand...
i have a transparent ethernet bridge/firewall in front of an entire rack of hardware including windows plesk installations, pure IIS webservers, mail servers, etc.

edit: the transparent firewall is a home built debian box.
 
Originally posted by parisioa
i have a transparent ethernet bridge/firewall in front of an entire rack of hardware including windows plesk installations, pure IIS webservers, mail servers, etc.

edit: the transparent firewall is a home built debian box.
Click to expand...

If you find out how it is hacked, please let me and support know.

If it is a plesk or they penetrate using another hole...
 
Originally posted by 3dguru
If you find out how it is hacked, please let me and support know.

If it is a plesk or they penetrate using another hole...
Click to expand...

it was definitely a mailenable hack, i had the MailEnable SMTP Relay Agent service (or whatever it was that was in c\windows\), there was also a serv-u daemon installed which i nuked, but it was useless to the hackers b/c the transparent firewall would have kept them from being able to use it for anything (only a select number of ports are opened, and there is no way anybody could access that firewall)
 
Status
Not open for further replies.

Similar threads

S
Resolved Problems with sw-engine
Replies
4
Views
3K
straddi
S
S
Question Cache is growing. Server is no longer accessible.
Replies
4
Views
552
straddi
S
I
Resolved External SMTP Server Settings
Replies
7
Views
1K
Ither
I
LuigiMdg
Issue Server Hacked
2
Replies
28
Views
4K
LuigiMdg
LuigiMdg
F
Question IPv4 forwarding rule
Replies
8
Views
383
alvarezcruz
alvarezcruz
Back
Top