Even worse, they didn't even notice until I called. If you're a 1and1.com customer I recommend you change your username and password now!
I included some log snippets to help you make sure your account hasn't been compromised.
1and1.com hacked
My server (using plesk 8.1 on windows 2003 server) has been compromised with some sort of rootkit and I'm investigating vulnerabilities. This server hosts some of my asp.net applications and I have to grant Modify Permission to IIS WP (iwam_plesk) user on Some subfolders (under Httpdocs folder for each domain). Is it a security problem? if yes, how else can I allow asp.net applications to write to, say, an Access db?
View 2 Replies View RelatedSomebody knew password databases of my forum do not know how then enter and modify the forum style templates and add iframe codes. Among the actions of its currency, although that problem still:
Initially I found phpshell uploaded on my site and I delete him , and I realized that there is no other phpshell.
1- I have changed database password and ftp password.
2 - I coded config file using zend
3- I make chmod 751 for directory and 644 for files.
I worked all these actions, however hacked on a daily basis.
How come this hackers to my server?
How closed this issue?
What is the log files, which would know from which all the details from entering the database?
We have several sites on one server. When I use the plesk wordpress manager it some how updates the User and Group permissions on folders and files with the username apache. How or what command do I run to get it to use the site username and psacln. It appears something maybe in an update or whatever has caused this issue. This only occurs with wordpress and drupal updates from the plesk interface.
What command can I run just to update the permissions to update all users to a username and psacln security settings on folders and directories.Running Plesk 12.0.18 and CentOS7
Im a webhoster...im getting many support tickets that clients r not able to add user to the database in cpanel...
View 7 Replies View RelatedLets say i gave user space on my site. They also make there own pages e.g blog or whatver
how would that work. Would those blog pages just automatically get added to my host server as if i uplaoded it
or would it get stored in a databse. if so how. and wer can i laern do u knw?
I tried grant a user to have access to a database via a shell script.
Database 'userdb' and user 'user1' are already setup.
This is my code .
Code:
#!/bin/sh
mysql -u root -pROOTPASS <<!
grant all privileges on userdb.* to user1@localhost
identified by 'dbpasswd' with grant option;
!
The code doesn't work.
1 have to create a new user, for example "webmaster" with ftp access, plesk access and database access.
My problem is: after i make all, this user can see all database for this domain. Can i show him only 1 database (him database)? If yes, how i can do?
After upgrading to plesk 12 over the weekend. None of my mail users can authenticate.I'm receiving quite a few error messages such as this for my ipmap users
authpsa[3822]: No such user 'bstewart@mwfbooks.com' in mail authorization database
courier-imapd: LOGIN FAILED, user=bstewart@mwfbooks.com, ip=[::ffff:69.176.116.106]
I've tried running mchk --with-spam command. But it hangs at the mail_auth_dump for several hours. Checking the cpu on that command and it is sitting idle.I've tried running the mail_auth_dump.worker manually and no better luck. Still nothing on the screen just hangs as if it's asleep.
Connection to the database server failed: Unknown column 'plugin' in 'mysql.user'
View 1 Replies View RelatedI want to buy vps server from 1and1.com but I am from Turkey. 1an1 said me " The dedicated server packages are only available for US and Canada only ". For this reason I cant buy VPS server from 1and1. is there anybody sell vps and dedicated from 1and1? or does anybody help me for buying vps or dedicated server. I can pay broker price.
I want to use 1and1 because when I send email on 1and1 based server, all mail to inbox. I am building Email hosting company in TURKEY. If you know other hosting company as 1and1. all email going to go inbox. I may work with him.
when I try to access to my plesk I obtain:
ERROR: PleskFatalException: Unable to connect to database: Access denied for user 'admin'@'localhost' to database 'psa' (auth.php:142).
If I restart with ssh /etc/init.d/psa start and I check plesk_11.5.30_reset_instance_data.log
I note: ERROR 1044 (42000): Access denied for user 'admin'@'localhost' to database 'mysql'.
We use CentOS Linux 7.0.1406 (Core) with Plesk Version 12.0.18 Update #27.
We have the following problem:
When a user clicks on a database in his account and tries to login with phpmyadmin, Plesk prompts for a Password of that specific user. The message is (in german):
Code:
The site https://........:8443 responded with:
Enter the password to log in as the database user xxxxxx
When i enter the correct password a new phpmyadmin window opens and the user can use his database. A few days ago you didnt have to enter a password at all. When you were logged into Plesk as a user, you could just click "Databases -> Webadmin" and phpmyadmin opened up without Plesk asking for a password.
The question for the password is NOT coming from phpmyadmin. Its from Plesk itself. After i enter the correct password plesk hands the request over to PMA.
For debugging i created a new database for a user and i could enter its database without any problem. No password was required. But the existing old databases now all require a password. So obviously Plesk is not aware of these passwords anymore. I guess they are/were stored somewhere.
I can resolve this situation I have.
I sent a server I have with a provider to have a RAM upgrade yesterday at 15:33 UTC, and ever since then I have had no access to my server.
SSH has been changed back to port 22, from a random high port.
root password has changed
RSA key has changed too.
I can see 3 possable reasons for this:
1) It's a different server plugged into the rack/router or a stolen IP
2) My provider "kindly" formatted and reinstalled my OS.
3) I have a compromised server, I very much doubt this as the server was offline.
I informed my provider about 18 hours ago that I had a "possable compromised server" and since then I have been given the run around as to what is happening.
For the last couple hours or so I have been trying to get them on live chat, which shows as online, but no-one answers. Thats another pet hate of mine.
I also have a couple tickets open asking for an update as they are not answering my origional ticket with updates.
Am I just being impaitent wanting a resolution to this in less than 18 hours or am I correct to complain?
I am trying to determine if i am hacked, here is details:
I just got a message from softlayer support: ABUSE - 66.228.xxx,xxx - HACKING/MALICIOUS ACTIVITY - IMMEDIATE ACTION REQUIRED. with some log like this:
Quote:
Connection attempt to TCP IP.IP.IP.34:80
>from 66.228.xxx.xxx:41212 flags:0x02 Sep 28 14:05:55 PDT kernel:
Also, I did a rkhunter scan and found:
Quote:
cat /var/log/rkhunter.log | grep Warning
[18:26:29] /usr/bin/GET [ Warning ]
[18:26:29] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
[18:26:29] /usr/bin/groups [ Warning ]
[18:26:29] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
[18:26:30] /usr/bin/ldd [ Warning ]
[18:26:30] Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
[18:26:35] /usr/bin/whatis [ Warning ]
[18:26:35] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
[18:26:36] /sbin/ifdown [ Warning ]
[18:26:36] Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
[18:26:36] /sbin/ifup [ Warning ]
[18:26:36] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
[18:27:43] Checking '/etc/xinetd.d/ftp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/poppassd_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtp_psa' for enabled services [ Warning ]
[18:27:44] Checking '/etc/xinetd.d/smtps_psa' for enabled services [ Warning ]
[18:27:44] Checking for enabled xinetd services [ Warning ]
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
[18:27:44] Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
[18:27:59] Checking for hidden files and directories [ Warning ]
[18:27:59] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[18:27:34] Checking running processes for deleted files [ Warning ]
[18:27:34] Warning: The following processes are using deleted files:
[18:27:34] Process: /usr/libexec/mysqld PID: 4773 File: /tmp/ib2RpbEj
[18:27:34] Process: /usr/sbin/httpd PID: 8449 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 8452 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12102 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 12950 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13044 File: /tmp/.apc.PGGxew
[18:27:34] Process: /usr/sbin/httpd PID: 13046 File: /tmp/.apc.PGGxew
So does that mean my server was compromised?