POP3 Filtering for Windows Plesk Servers

[dan]

Hi,

As of 8:00PM EST (02.24.07) a deny filter for POP3 (port 110) has been placed on our edge routers for all Windows servers that run Plesk. The filter has been deployed in efforts to keep those Windows servers from getting hacked, as it seems that a small scale outbreak is taking place and infecting Windows machines with Plesk. The vulnerable software is MailEnable and you can view the advisory here:

http://secunia.com/advisories/23127/

Although there hasn't been an official statement from SWsoft, there is plenty of discussion taking place on their forum:

http://forum.swsoft.com/showthread.p...pagenumbe r=5

Unfortunately, the current version of Plesk that SWsoft distributes, also contains the vulnerable version of MailEnable as well, so updating Plesk just at this moment won't do much.

There is a hotfix released by MailEnable, which is available via the Secunia advisory URL, but we cannot confirm whether this is a permanent fix or not. The best solution at this moment is to wait for something official to come from SWsoft themselves.

Of course, we fully realize that blocking POP3 connectivity is a very blunt method to deal with this issue, but at least you can bathe in the knowledge that your server won't be hacked until a fix has been issued :-)

Thanks,

-Daniel

[DocHolliday]

Of course, we fully realize that blocking POP3 connectivity is a very blunt method to deal with this issue, but at least you can bathe in the knowledge that your server won't be hacked until a fix has been issued :-)

A tough decision to be sure. But one that we HD clients do appreciate. Thanks for taking care of us (and by default, our Clients as well).

[dan]

Good news, SWsoft has confirmed the worm/virus outbreak and have posted a fix on their site. Your Windows server with Plesk requires this fix if by visiting sites hosted on your server you get a password prompt.

You can read about the fix here:

http://kb.swsoft.com/article_156_1716_en.html

The second part, the worm related part has not been confirmed yet, but we have been able to clean systems by following these steps:

1) Open up the services menu from the control panel

2) Scroll until you see the service named "Mail enable SMTP Relay Service"

3) Right click to properties

4) Change startup type to 'Disabled'

5) Click on the "Log On" tab, and un-select the checkbox, "Allow service to interact with dekstop". Click on Apply.

6) Run the following at the command prompt "wmic process where name='mesmtpsvc.exe' delete" - Agree to kill it.

7) Go to C:\windows\system32\ and remove the rdriv.sys (rootkit driver? Nice!) file.

8) The following additional files should be removed as well:

c:\windows\system32\bw.exe
c:\windows\system32\nc.exe
c:\windows\system32\pack.exe
c:\windows\system32\gethashes.exe
c:\windows\system32\saminside.ini
c:\windows\system32\psinfo.exe
c:\windows\system32\start.bat
c:\windows\system32\sami.bat
c:\windows\system32\SAMinside.INI
c:\windows\system32\bot.exe

Due to the fact that there are multiple variations of the worm, some files listed above might not be on your system - this is fine. Remove whatever files that you do find, and you should be good to go.

9) Download the following Hotfixes and execute:

-http://www.mailenable.com/hotfix/ME-10026.EXE
-http://www.mailenable.com/hotfix/ME-10027.EXE

That is it. We have patched a ton of Windows servers already, and are still working on more as we speak. The filter list is slowly but surely becoming smaller and smaller.

As always, if you have any questions or comments, please submit a ticket to our helpdesk

( Thanks for the thumbs up Doc :-) )

Thanks,

-Daniel