Plesk Checking to see if you have been attacked / infected

So you have patched your server, the hacker can’t get in again – so now we need to tidy up any files which may have been added. In my case I found 13 rogue perl scripts within cgi-bin folder of different domains. Each file had a random filename eg. motherboard.pl / preconnective.pl / etc. and contained surprisingly well documented code (for a trojan!) even telling me its origin on the first line “#part of the Gootkit ddos system“.

So first off, we will find and list ANY perl scripts within your servers webhosting files :

cd /var/www

find * -iname '*.pl' -ls

After producing this list, make a note of any rogue files, investigate each one – and DELETE! This however will not stop the process running if it has already launched, so you will also need to check for any of the previously listed rogue scripts running as processes.

Find and kill any rogue perl scripts:

ps aux | less

It might be easier to find the perl scripts by using grep to reduce the amount of processes to look through:

ps aux | grep .pl

This will list the running processes, which we need to do to find the PID to kill (I have omitted my genuine scripts):

domain  5369  0.0  0.2  41040  5928 ?        S    13:12   0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal

Now to kill off all those processes :

kill 5369

All done.


Source

http://www.mikcx.com/plesk-api-vulnerability-allow-anonymous-hacker/

Plesk patch

http://kb.parallels.com/en/113321

Leave a comment