Remote vulnerability in Plesk Panel < 10.4

Posted on March 14, 2012 by Florian Jensen

Hi,

A major vulnerability was discovered in Plesk, allowing full access to the panel. The versions from 7.6.1 to 10.3.1 are vulnerable. Versions 10.4 are not affected.

To find out if your server is vulnerable, see the following article: http://kb.parallels.com/en/113424

To apply the Plesk micro-updates, please follow this article: http://kb.parallels.com/en/9294

For more information: http://kb.parallels.com/en/113321

Important

It is strongly recommended to change all passwords for Plesk users and Admin account: http://kb.parallels.com/en/113391

Check and clean your server in case it would have been exploited:

1.) Delete the backdoor:

Delete all files in the /tmp directory on your server. You should see files named ‘u’ or ‘id’ for example.

2.) Locate cgi and perl scripts

Type the following command: ls -al /var/www/vhosts/*/cgi-bin/*.pl . You’ll see in each cgi-bin folder of the file. .pl or .cgi with different names.

Example: preaxiad.pl, dialuric.pl, fructuous.pl .

Delete all these scripts if they are not yours.

3.) Secure your site

Injections took place on wordpress, drupal and /or joomla. Make sure your sites use the very latest version of the CMS. Disable via plesk panel in the hosting section the CGI-BIN option for sites that do not use this option.

Also change the ftp/sql password of your sites.

4.) Locate the source IP

You can grep the name of script.pl in access_log of your site to find the IP that performed the injection.

For example:

zgrep 'preaxiad' /var/www/vhosts/YOURDOMAINHERE/statistics/logs/access_log*

It should return a line like:

12.34.56.78 - - [01/Mar/2012:02:37:55 +0100] "GET /cgi-bin/preaxiad.pl HTTP/1.1" 200 181 "" "Opera/7.21 (Windows NT 5.2; U)"

Use the IP at the beginning of this line to see if other sites are affected.

zgrep 'ip.in.question.here' /var/www/vhosts/*/statistics/logs/access_log*

This will then return the list of logs to sites the script have been called.

Need help? We’re here!

Our team can help you to verify and update your Plesk service. If you need help with any of the steps above, please contact our support. Depending on your service with us, this intervention might be charged (we will inform you of this in advance).

The intervention will include:

  • Removing scripts / backdoors
  • Check the presence of the fault
  • The microupdate and update of your plesk
This entry was posted in Dedicated Servers, Security, VPS and tagged , , . Bookmark the permalink.
0 comments
  Livefyre
Newest | Oldest