Small blog about system administration.

Plesk vulnerability: pseudodomains, km0ae9gr6m, RunForestRun, exploit removal

I can confirm it was a plesk security issue that has now been patched and is also well known to them. The hacker only got access to the vhost directory and domains and did not get access to the server.

Basically all .js files were infected with

/*km0ae9gr6m*//*qhk6sa6g1c*/
and a number of js files had
/*km0ae9gr6m*/INFECTED CODE/*qhk6sa6g1c*/
So to clear this up i needed a way to use SSH to scan and look for
/*km0ae9gr6m*/
and
/*qhk6sa6g1c*/
and delete that and everything in between.

I was kind enough to share some code that i adapted to work on my server.
My server runs a folder structure of /var/www/vhosts/ so i CD'd in to /var/www/ and used the following code to clear up the hack.

find vhosts/ -type f -name '*.js' -print0 | xargs -0 perl -i -0777pe 's|/\*km0ae9gr6m\*/.*?/\*qhk6sa6g1c\*/||gs'
The above code needs to be one line only to work.
I then used Grep to search the vhost directory and all folders and files within using

grep -ir km0ae9gr6m *

This worked for me, i hope it does for you guys.

No comments :

Post a Comment