Protection against DOS kits (Gootkit)

Question

I've been helping a little hosting company. They have servers offering .NET hosting with Windows & IIS. For clients management, domain creation an this kind of stuff they're using Paralells Plesk which works well.

It seems that in the process of generating statistics 'Perl.exe' is used to parse IIS log files. Today we've found that some users are infected by a DOS system called Gootkit. A lot of malicious scripts are found in the cgi-bin folder. I don't know exactly how, but they are invoked somehow (and executed via Perl with his IUSR user).

We have isolated these scripts and the problem has stopped by now. We also added a false route in Windows to the destination IP of the attack in order to prevent the output of the traffic.

Beyond these specific reactive actions, I was wondering: what is the correct checklist that you have to follow to prevent these issues in the first place? Currently, Windows Firewall is active and running, Kaspersky AV is in place, and there is a hardware firewall in place. However, simple upload and invokation of these scripts has induced the network interface to work at 100% affecting all the machines of the datacenter.

How can we do a better job of protecting our servers?

Answer 1

One of our customers was similarly affected, the files were uploaded through POST requests to the URI /plesk/client@{client number}/domain@{domain number}/hosting/file-manager/create-file

They are, I believe, invoked by a web request that usually includes the target and the type of attack (SYN flood etc).

To prevent it happening again, make sure you are running the most up-to-date version of Plesk, ensure all passwords are strong and most importantly of all - Ensure you have no SQLi vulnerabilities on anything on that server. Plesk stores user passwords in plaintext, so if an attacker can run arbitrary SQL they can retrieve it, login and upload files.