Brute force attacks on sw-cp-server

DarkF@der · **Joined:** Thu May 07, 2009 12:46 pm **Posts:** 219

Hello,

I have several times suffered from brute force attacks on our Plesk control panel.

/var/log/sw-cp-server/error_log:

Code:

2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 0 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 1 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 2 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 3 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 4 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 5 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 0 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 1 load: 139
2011-10-28 01:37:07: (mod_fastcgi.c.2873) backend is overloaded, we disable it for a 2 seconds and send the request to another backend instead: reconnects: 2 load: 139
2011-10-28 01:37:08: (connections.c.299) SSL: 1 error:140780E5:SSL routines:SSL23_READ:ssl handshake failure
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
2011-10-28 01:37:10: (mod_fastcgi.c.2651) fcgi-server re-enabled: 0 /usr/local/psa/tmp/sw-engine.sock
all children busy, launch additional (total 3, limit 30)

My processlist say's this:

Code:

psaadm 3898 0.0 0.0 224688 14564 ? Ss 01:23 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 8416 0.0 0.1 287232 31984 ? S 01:27 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 8429 0.0 0.1 288556 33032 ? S 01:27 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 8430 0.0 0.1 287488 32176 ? S 01:27 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 7561 0.0 0.0 224696 14556 ? Ss 01:25 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 8967 0.0 0.1 287236 31956 ? S 01:28 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 8968 0.0 0.1 287236 31956 ? S 01:28 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 8969 0.0 0.1 287236 31936 ? S 01:28 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 8375 0.0 0.0 224720 14564 ? Ss 01:27 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 9655 0.0 0.1 287260 32052 ? S 01:30 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 9666 0.0 0.1 287260 32036 ? S 01:30 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 9678 0.0 0.2 288296 33088 ? S 01:30 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 8970 0.0 0.0 224724 14556 ? Ss 01:28 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 10303 0.0 0.1 287268 31912 ? S 01:31 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 10304 0.0 0.1 287268 31892 ? S 01:31 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 10305 0.0 0.1 287268 31912 ? S 01:31 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 9680 0.0 0.0 224668 14564 ? Ss 01:30 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 10865 0.0 0.1 287212 31904 ? S 01:32 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 10874 0.0 0.1 287212 31884 ? S 01:32 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 10875 0.0 0.1 287212 31884 ? S 01:32 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 10274 0.0 0.0 224700 14564 ? Ss 01:31 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 11524 0.0 0.1 287244 31916 ? S 01:34 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 11525 0.0 0.1 287244 31892 ? S 01:34 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 11526 0.0 0.1 287244 31892 ? S 01:34 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 10885 0.0 0.0 224704 14560 ? Ss 01:32 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 12166 0.0 0.1 287248 31912 ? S 01:35 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 12167 0.0 0.1 287248 31932 ? S 01:35 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 12168 0.0 0.1 287248 31912 ? S 01:35 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 11499 0.0 0.0 224692 14564 ? Ss 01:34 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 12742 0.0 0.1 287236 31880 ? S 01:37 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 12743 0.0 0.1 287236 31880 ? S 01:37 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 12744 0.0 0.1 288268 32932 ? S 01:37 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 12125 0.0 0.0 224660 14564 ? Ss 01:35 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad
psaadm 13342 0.3 0.1 287204 31920 ? S 01:38 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 13365 0.3 0.1 288240 32956 ? S 01:38 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 13366 0.3 0.1 287204 31920 ? S 01:38 0:00 | \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u p
psaadm 12774 0.0 0.0 224692 14556 ? Ss 01:37 0:00 \_ /usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaad

Server load is fine:

Code:

top - 01:41:59 up 18 min, 1 user, load average: 0.41, 0.48, 0.49
Tasks: 402 total, 3 running, 399 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.9%us, 0.4%sy, 0.0%ni, 97.6%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 16521784k total, 4581176k used, 11940608k free, 106944k buffers
Swap: 4192956k total, 0k used, 4192956k free, 1604852k cached

The Plesk control panel is therefore no longer accessible.
Is there a way to to avoid it or automaticly block the attack?
When i did a netstat -pantu I found the ip and blocked it after that it was all working normal again.

Thnx in advanced

Brute force attacks on sw-cp-server

Who is online