Page 2 of 2

Re: Proftpd exploit with plesk

Posted: Sat Mar 03, 2012 7:48 pm
by faris
EvolutionCrazy wrote:Or does anybody that got a server running with plesk before september 2011 have to consider it "rooted"? :/
Potentially ... but this is very unlikely.

The recon happened in January. If you were vulnerable then, AND you were reconned AND (various other things) then your system's security would be in doubt.

There's also a few other things that people could have done - with hindsight! e.g. change Plesk's port, or block 8443 from the internet at your edge firewall, and set up a login page on the network that redirects to it (and is allowed). That would stop most recons.

Nobody has said where the recons came from, but I'm betting cn/ru/ro/ua IP-space? Or did they hire a botnet for the purpose?

Re: Proftpd exploit with plesk

Posted: Sat Mar 03, 2012 7:53 pm
by EvolutionCrazy
On the machines i was asked to inspect there were traces from everywhere.... Lot from the us.

Yeah a lot of things could have been done..... Even doing a rpm -e psa could have helped us all...

We need proper explanations from whose has access to the sources of agent. Php.....