Hello,
A customer plesk running Ubuntu 12.08 and Plesk 12.0.18 was hacked tonight.
He sents a file to one subscription using a vulnerable uploadfy.swf on that site, after upload the file the hacker change something in users shadow or other that I dont understand and run a su with root
su[21158]: Successful su for r00t by www-data
su[21158]: pam_unix(su:session): session opened for user r00t by (uid=33)
After successfull "su" he run a script that changes all INDEX.PHP in all subscriptions...
Plesk server hacked
A customer plesk running Ubuntu 12.08 and Plesk 12.0.18 was hacked tonight.
He sents a file to one subscription using a vulnerable uploadfy.swf on that site, after upload the file the hacker change something in users shadow or other that I dont understand and run a su with root
su[21158]: Successful su for r00t by www-data
su[21158]: pam_unix(su:session): session opened for user r00t by (uid=33)
After successfull "su" he run a script that changes all INDEX.PHP in all subscriptions...
Plesk server hacked