Atomicorp

hi, thanks for the exaustive and quick reply ;) yeah this is an old centos5 box without ASL subscription... mod security was working ok with the delayed rules but stopped working a few mod_security updates ago due to missing tortix* file. didn't spend much time on it, just using the sample tortix* f...

nowhere?

looks like that if you are an ASL customer it does not get enabled by default?

even the delayed rulesets does not include a standard modsecurity config:
http://updates.atomicorp.com/channels/rules/delayed/

On the machines i was asked to inspect there were traces from everywhere.... Lot from the us.

Yeah a lot of things could have been done..... Even doing a rpm -e psa could have helped us all...

We need proper explanations from whose has access to the sources of agent. Php.....

How can we be sure that agent.php can't modify/upload files and was just able to "leak" infos? I couldnt have said that better. Forensics always comes down to "How do you know?" Yeah, you are fully right. But I think it's in Parallels best interests to let us know what can be do...

so: I do not see uploads via ftp, I do not see accesso file manager (or any other file in plesk admin interface), I do not see ssh access... can we suppose it was just an information leak withou modifications/uploads? As for now I saw only agent.php references that were not standard... no uploads vi...

add: searching around I see agent.php only mentioned about data leaks...

to upload the file they need to access to .../file-manager/create-file/ or via ftp...

Am I wrong?

I'm inspecting a couple machines... and I see POST requests to agent.php samples: ./httpsd_access_log.processed:109.206.185.155 XX.XX.XX.XX:8443 - [26/Feb/2012:12:57:51 +0100] "POST /enterprise/control/agent.php HTTP/1.1" 200 1744 "-" " -" ./httpsd_access_log.processed:...

scott wrote:3) Attack uses the vulnerable agent.php injection to upload bot code via the file manager. Note, this is unauthenticated.

So it's confirmed that agent.php could be used to upload files and not just to leak data?

same here on 9.5.2

having the same problem on all my boxes...

In the newer base package only proftpd got updated?

http://www.parallels.com/it/products/plesk/ProFTPD/

ok thank you, will try that for spamassassin

tried doing the configure of qmail scanner with "--quarantine-reject yes" but that didn't resulted in what I was looking for (nothing changed :( ) basically I'm sending an email to myself (from a different server) with subject: "viagra" and content "viagra" it "fai...

I thought
would have done the trick, but It's not working as expected

shouldn't that result in the same behaviour?

PS: spamassassin in your repos is not configured to start at 345 runlevels?

i was looking around qmail-scanner.ini but didn't saw anything that refer to the : --quarantine-reject switch... Defaults to "no". Whether to trigger a SMTP error response to quarantine events (inc. SPAM). Qmail installed with the "custom error patch" will get a nice little text ...

yes, selinux was the problem

ty scott