We migrated a Plesk 8.3 server (Linux) to 11.0.9 (Linux) today. It mostly went fine, but we had two sites that would time out when trying to load in a browser window..Eight IPs total in the subnet. Seven were used and five had sites that were working fine.
So, I went to another server to do a telnet test and sure enough, I could telnet to it, but when I requested a page it would time out. These were both basic HTML sites. It was very perplexing.
The server we did the telnet test from was in the same datacenter as the new server. This was our mistake, because it turns out that three of the eight IPs in this block were null-routed from the abuse of a previous client. The null-route was handled at the upstream provider level, so our tests from another server in the same DC were invalid.
So, lesson learned, always test from a different datacenter!
OK, so, for 99% of us, this goes without saying, but for the 1% of the world, I just want to reiterate how important your password security is. A client today had a sever that they provide to their client. This client insisted on having an adminstrator RDP account. It was never used. But this was also their FTP account (based on how Windows manages RDP/FTP accounts)
So, even though they NEVER used the account for RDP access, they did use it for FTP access and several different people had access to the account. Today that account was used to access RDP and created three new users. They removed IIS completely and proceeded to start installing a game server.
Because of our monitoring, we knew within 30 minutes that the server had been compromised. We got the administrator password reset and locked down RDP. We checked the integrity of the backups and then reformatted the server. Client is in the process of reinstalling ColdFusion and reconfiguring IIS.
The sites served off this server will probably be down a total of about 12 hours. The bottom line is that a user password got compromised. How this happened we will never know but we know that the IP, user and password were emailed to someone else in a single email. We also do not at present know the status of anti-virus/malware software on the various client PCs.
Always always ALWAYS run a good virus scanner on your workstations.
Seems there is a new security issue from parallels. More information is located here:
Patch information is here:
Seems that the actual vulnerable servers is a pretty narrow set, but we will be logging into all Plesk servers and checking/patching them.