Announcement

Collapse
No announcement yet.

91.186.30.8 hacked?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 91.186.30.8 hacked?

    IP: 91.186.30.8

    My FTP password is a secure one, and unique to that site. Plesk, less so (been changed now just in case). MySQL password could probably be strenghtened.

    Between 4 and 5 am this morning, this server became unavailable (went offline). When it came back online between 9 and 10 am this morning, the default.asp page of my site had been replaced with a compromised one.

    How do I know this? I have software that monitors the contents of my website's source code at a file level (via FTP) and it informed me of loss of connectivity at 5am and that default.asp had changed at 10am.

    Not sure how they got in, but being offline and then being compromised seem to be linked. It would be an amazing co-incidence if they just happened to hack my plesk login within the hour of the server coming back online.

    The original default.asp has been restored and plesk password strengthened just in case.

  • #2
    FYI the hack was a form of http://blog.unmaskparasites.com/2012...andom-domains/

    Which has this to say:-

    Update: at the bottom of this post you’ll find information about how a security hole in Plesk Panel was used to infect websites. Comments are also worth reading.

    ...

    Update (June 23, 2012): Thanks to everyone who left comments. The problem seems to be really in Plesk.Axel found traces of the attack in Plesk access logs. The attacker logged in and used file manager’s editor to modify .js files. Axel blames the Plesk vulnerability (versions before 10.4 are affected) found earlier this year and suggests that server admins fix it: http://kb.parallels.com/en/113321 and reset passwords for all plesk accounts:
    So if you are affected, then immediately change passwords of ALL Plesk accounts. This means: Plesk-admin-user, all reseller-accounts, all domain-administrators, FTP users of subdomains and web users of domains. And of course, if not previously done, update your Plesk installation!!
    Here’s one more usefull link for server admins: How to make sure your Plesk Panel 8.x, 9.x, 10.0, 10.1, 10.2, or 10.3 is not vulnerable
    Is our plesk still vunerable?

    Comment


    • #3
      Hello Austin,

      We are aware of the hack issue.

      We suspect the customers Plesk login's with weak passwords were compromised due to Plesk Vulnerability and not plesk/server itself. Plesk account were accessed from remote and files of the domain's were edited using File Manager in the control panel.

      I can see two logins from different IP's around 10 AM, the time that you have mentioned default.asp page was modified.
      I have updated the access logs of your plesk control panel in the support ticket, let us know the suspicious IP, we will block them on our servers.

      The server was rebooted in the morning after installing Windows Security updates and not Plesk updates.
      The Security patches and hotfixes released by Parallels have been installed now on our servers and the sever is being monitored.
      Chris White
      (Former eUK Employee)


      UK's premier web hosting company.

      Comment


      • #4
        Support ticked updated. I will monitor for any further malicious activity.

        Comment


        • #5
          this has happened to me too. a load of JS files on my sites have been modified. I am in the process of checking them and of coutse changing passwords. Changing passwods is a real pain however because of the bug in plesk that resets site permissions every time you make a site change...the site becomes read only and crashes. I wish they would fix this!!!!!
          wheresmycar.co.uk - Ever wondered where your old car is?

          Comment


          • #6
            Sorry to hear of your recent problems. I hope that you don't have any more hacking incidents. They can be an absolute pain to clear up sometimes .
            David Smith
            Managing Director
            DPS Computing Limited

            - Massive update! (September 2011) - It's now not neglected!!
            - New Site (10/2009)

            Comment


            • #7
              I'm not sure if this is continuing or not..each day something is getting changed in plesk maybe because each day I'm having to ask support to reset the permissions on my site (they keep becoming read only). It's getting very annoying that this happens as my whole site crashes when this happens...I'm going to open a support ticket to see if they can tell me what's being changed

              and for the record, I HATE having to keep doing this because each time it takes your support people about 15 minutes to do this. why do I have to keep explaining how/why it happened? don't they know your system at all?? don't you train them? I've now been waiting close to 25 minutes for Shelia Lawson to reset the permissions....and still waiting
              wheresmycar.co.uk - Ever wondered where your old car is?

              Comment


              • #8
                Originally posted by twisted-pixe View Post
                I'm not sure if this is continuing or not..each day something is getting changed in plesk maybe because each day I'm having to ask support to reset the permissions on my site (they keep becoming read only). It's getting very annoying that this happens as my whole site crashes when this happens...I'm going to open a support ticket to see if they can tell me what's being changed

                and for the record, I HATE having to keep doing this because each time it takes your support people about 15 minutes to do this. why do I have to keep explaining how/why it happened? don't they know your system at all?? don't you train them? I've now been waiting close to 25 minutes for Shelia Lawson to reset the permissions....and still waiting
                Hi,

                I am sorry that you are continuing to have issue with your site. I have already forwarded your ticket #UJA-952-45060 onto our technicians in the Windows support department. They'll respond shortly. I sincerely apologise for the inconvenience.

                Kind regards,
                Ben Stones.

                Comment


                • #9
                  Hi Ben,

                  you'll probably see I've created several tickets today, I've also had several conversations on support chat and just seem to be making 1 step forward 1 step backwards. Nobody can explain to me why these things are happening, and why your own tools are messing them up so badly. Everything was working just fine until you started messing with things.

                  I can't set my own permissions, followed the instructions given by support on how I can give myself these privileges, yet when I provide screenshots of doing what they told me, nobody can explain why this didn't work and seemed to just gloss over it

                  I've provided proof that my site permisions changed at 5.30 this morning, yet support are denying anything happened to cause this

                  I've been on a chat session with support to sort out the custom error documents which do not work

                  all of these things used to work just fine!!

                  please take a read through my tickets and see if there is something you can sort out for me.

                  many thanks
                  wheresmycar.co.uk - Ever wondered where your old car is?

                  Comment


                  • #10
                    Hello Alistair,

                    We have updated ticket : UJA-952-45060. Do let us know how do you want us to proceed.

                    regards,
                    euksud
                    Technical Support Department.

                    Comment


                    • #11
                      hi..yes, I got your reply...so, let me just check my understanding.

                      I can stay where I am...and have constant issues...or..i can pay 4 times my current monthly outlay if I want something that works?...interesting proposal..

                      I have a 3rd option. I find an alternative host....thanks.
                      wheresmycar.co.uk - Ever wondered where your old car is?

                      Comment


                      • #12
                        this is just great....go take a look at my site now

                        www.secklow.com

                        see how competent EUKhost are???

                        now I have to go change passwords and everything!!! cos you are showing them!!!!!!

                        I cannot believe how you have managed to screw this up so badly

                        and this is the reply I just got from the support ticket

                        Hope your doing well. if you remember this http://forums.eukhost.com/f41/custom-error-pages-7552/ you need to upload your custom error documents to the error_doc folder and then set them up in plesk. I have done this for you now via plesk and also change a property in IIS so that changes made in plesk stay put.

                        http://www.secklow.com/wee.asp now gives me your custom error page. You can replace the one in error_docs folder.

                        really??
                        wheresmycar.co.uk - Ever wondered where your old car is?

                        Comment


                        • #13
                          Hello Alistar,

                          I have updated your ticket SJN-140-61721 . I would request you to update it should you require further assistance.

                          Thanks,
                          Ray

                          Comment

                          Working...
                          X