GenuineIntel, Intel(R) Xeon(R)CPU E5520 @ 2.27GHz
Parallels Plesk Panel v10.4.4_build1013111102.18 os_Debian 6.0
Linux 2.6.36.4-vs2.3.0.36.39-nc
Hallo Forum,
hatte am 24.02 ein paar administrative Aufgaben auf meinem Server zu erledigen und musste feststellen dass mein Adminaccount beschränkt war. Per SSH war der Zugriff noch möglich und ich konnte mit wenigen mysql Befehlen den Adminaccount wieder frei bekommen. Beim Einloggen musste ich aber dann dem Disaster wohl oder übel ins Auge sehen. Es gab einen neuen Benutzer und zwei neue vhosts.
Benutzer: uyuidfguiu
Vhosts: sloboz.uk.me, und www.........
Beim auswerten der httpds_access fand ich folgendes.
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:07 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:09 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:12 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:14 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:16 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:19 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:21 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:23 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:26 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:28 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:30 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:33 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:35 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:38 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:40 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:42 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:45 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:47 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:49 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:52 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:54 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:56 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:17:59:59 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:18:00:01 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:18:00:03 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:18:00:06 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:18:00:08 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:50.30.34.43 XX.XX.XX-33:8443 - [21/Feb/2013:18:00:10 +0100] "POST /login_up.php3 HTTP/1.1" 200 5177 "-" "-"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET / HTTP/1.1" 200 1328 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57
Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /javascript/common.js?plesk_version=psa-10.4.4-1013111102.18 HTTP/1.1" 200 2225 "https://XX.XX.XX-33:8443/" "Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /javascript/prototype.js?plesk_version=psa-10.4.4-1013111102.18 HTTP/1.1" 200 37451 "https://XX.XX.XX-33:8443/"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /login.php3 HTTP/1.1" 303 0 "https://XX.XX.XX-33:8443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML,
like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /favicon.ico HTTP/1.1" 200 1150 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko)
Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /login_up.php3 HTTP/1.1" 200 4932 "https://XX.XX.XX-33:8443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17
(KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /skins/default/css/base.css?plesk_version=psa-10.4.4-1013111102.18 HTTP/1.1" 200 13440
"https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:18 +0100] "GET /skins/default/css/btns.css?plesk_version=psa-10.4.4-1013111102.18 HTTP/1.1" 200 2649
"https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:19 +0100] "GET /skins/default/css/custom.css?plesk_version=psa-10.4.4-1013111102.18 HTTP/1.1" 200 38
"https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:19 +0100] "GET /javascript/jsw.js?plesk_version=psa-10.4.4-1013111102.18 HTTP/1.1" 200 26178 "https://XX.XX.XX-33:8443/login_up.php3"
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:19 +0100] "GET /skins/default/img/heading-bg.png HTTP/1.1" 200 1325 "https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:19 +0100] "GET /skins/default/plesk/images/def_plesk_logo.png HTTP/1.1" 200 2025 "https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0
(Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:19 +0100] "GET /skins/default/img/btn.png HTTP/1.1" 200 1711 "https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:19 +0100] "GET /skins/default/img/blank.gif HTTP/1.1" 200 49 "https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
::ffff:5.12.197.22 XX.XX.XX-33:8443 - [21/Feb/2013:18:07:24 +0100] "POST /login_up.php3 HTTP/1.1" 200 1298 "https://XX.XX.XX-33:8443/login_up.php3" "Mozilla/5.0 (Windows NT 6.1; WOW64)
Alles anzeigen
Das ist nur ein Auszug, und die Vhost wurden um 20:27 angelegt.
ein nslookup auf die erste Adresse 50.30.34.43 ergab folgendes --> hawk088.startdedicated.com
ein nslookup auf die zweite Adresse 5.12.197.22 ergab folgendes --> 5-12-197-22.residential.rdsnet.ro
Beim genaueren hinsehen musste ich in der GUI dann noch feststellen dass dort seit dem 22.02 1331 Mails in der Queue liegen und zwar
alle von dem Absender
Ich habe diese Adresse auf die Blacklist gesetzt in der Hoffnung dass das hilft.
Adminpasswort für Plesk und root hab ich auch geändert doch ich denke die Kiste ist verseucht.
In der Passwd hat sich der Eindringling ebenfalls eingenistet mit nem /bin/bash Eintrag. Aber das kann auch durch Plesk geschehen sen.
Also rundum hab ich jetzt ein sehr mulmiges Gefühl und hoffe Ihr könnt mir helfen.
Was kann ich tuen?
Gruß