A major vulnerability was discovered in Plesk, allowing full access to the panel. The versions from 7.6.1 to 10.3.1 are vulnerable. Versions 10.4 are not affected.
To find out if your server is vulnerable, see the following article: http://kb.parallels.com/en/113424
To apply the Plesk micro-updates, please follow this article: http://kb.parallels.com/en/9294
For more information: http://kb.parallels.com/en/113321
It is strongly recommended to change all passwords for Plesk users and Admin account: http://kb.parallels.com/en/113391
Check and clean your server in case it would have been exploited:
1.) Delete the backdoor:
Delete all files in the /tmp directory on your server. You should see files named ‘u’ or ‘id’ for example.
2.) Locate cgi and perl scripts
Type the following command: ls -al /var/www/vhosts/*/cgi-bin/*.pl . You’ll see in each cgi-bin folder of the file. .pl or .cgi with different names.
Example: preaxiad.pl, dialuric.pl, fructuous.pl .
Delete all these scripts if they are not yours.
3.) Secure your site
Injections took place on wordpress, drupal and /or joomla. Make sure your sites use the very latest version of the CMS. Disable via plesk panel in the hosting section the CGI-BIN option for sites that do not use this option.
Also change the ftp/sql password of your sites.
4.) Locate the source IP
You can grep the name of script.pl in access_log of your site to find the IP that performed the injection.
zgrep 'preaxiad' /var/www/vhosts/YOURDOMAINHERE/statistics/logs/access_log*
It should return a line like:
220.127.116.11 - - [01/Mar/2012:02:37:55 +0100] "GET /cgi-bin/preaxiad.pl HTTP/1.1" 200 181 "" "Opera/7.21 (Windows NT 5.2; U)"
Use the IP at the beginning of this line to see if other sites are affected.
zgrep 'ip.in.question.here' /var/www/vhosts/*/statistics/logs/access_log*
This will then return the list of logs to sites the script have been called.
Need help? We’re here!
Our team can help you to verify and update your Plesk service. If you need help with any of the steps above, please contact our support. Depending on your service with us, this intervention might be charged (we will inform you of this in advance).
The intervention will include:
- Removing scripts / backdoors
- Check the presence of the fault
- The microupdate and update of your plesk