Login details of Proserve-hostingklanten prove in recent weeks to have been stolen via a leak in serverbeheertool Plesk. It seems attackers are successful at some servers of the Dutch hosting company, ddos tools to install.
Proserve provides hosting services to individuals, businesses and other hosting companies, and has to say more than 4,500 servers in management. The company, active since 2000, and called himself ” one of the bigger players on the Dutch market calls in the past few weeks have become the victim of hackers, with all of the passwords from the Plesk database of various servers have been stolen.
Plesk is a management tool for servers and makes it possible to create a domain via a web interface to manage. According to Proserve, have the attackers all customer data from the affected databases stolen. It would be reseller, client and domain information, ftp passwords, databaselogins and maillogins of all associated domain names.
The attackers are in the system received via a serious vulnerability in Plesk, which Proserve its customers a few weeks ago had warned. Although the hosting company for various clients all the available updates installed, it seems that not all the customers who have no service agreement with the company themselves have done. “Unfortunately, we must conclude that for a number of customers, the vulnerability is already exploited before the servers are updated,” according to Proserve.
It is not known how many servers the attackers have managed inlogggevens to get hold of. Because the Plesk flaw was already known, Proserve does not exclude the possibility that it has happened before. The attackers have the captured data abused by ddos tools on some of the servers to install. To this end, Perl files on the servers posted and cronjobs created that the servers regularly abuse to Facebook via port 53 to ddos. The hosting company can not exclude that there are other ways to abuse the login credentials.
Incidentally, had Proserve earlier this month, all to do with an incoming ddos attack. It is not clear whether these two attacks are connected with each other. This first wave of ddos attacks is particularly powerful. In total, more than 10 gbps on the network of Proserve fired; the heaviest attack that Tweakers.net ever had to endure has gotten was around 7Gbps.
The first ddos attacks seem to be directed by the hosting company KnownSRV, that through a reseller services in Proserve. The attack eventually stop, Proserve decided his services to this reseller to cease and desist all network traffic to the servers of that company to block, as appears from a report that Proserve to its customers.
KnownSRV has its customers of the problems. The company has a new datacenter, found to his servers. This data center is informed of the problems and says enough capacity. Shared hostingaccounts of KnownSRV are hosted at Evoswitch.