Comments on: Plesk 0Day For Sale As Thousands of Sites Hacked

By: Brian

Brian — Thu, 09 Aug 2012 06:33:41 +0000

Any insight as to why kaspersky not detecting this…

my AVGfree system regales plesk threat and presence OK

By: dj

dj — Tue, 07 Aug 2012 13:47:40 +0000

hi guys,

my friends server was also hit via plesk,
through the filemanager, and % in the urls with the client ids

untill now i only found and removed js code from my indexes, php and html

but now i found an other variant, in the index they insert an include statement, to include an other file situated and looking like a log file.

then it is decoded and executed.

it is quite advanced coding, getting ads from some server, and lots of code to detect if its a googlebot or so, and then keep quiet

i found it out nearly by chance
(no i am not going to tell how i found it, it might help the hacker)

so, try to search for files around the infection date.

this one is not detected by a virusscanner
(dowload the code and run a scanner over it doesnt work)

hope this helps someone, dj

By: Claire Towne

Claire Towne — Fri, 20 Jul 2012 11:19:10 +0000

Is there any update on if and how it is possible to retrieve data?

By: jeffatrackaid

jeffatrackaid — Mon, 16 Jul 2012 19:13:43 +0000

I am seeing more cases of web site files having javascript injections. The entry point is via the Plesk File Manager.

I speculate that the attackers may have obtained the passwords months ago and if the password were not reset they are simply returning to get into the system.

The latest round of attacks we see are on July 6th and 9th.

By: PC.Tech

PC.Tech — Sun, 15 Jul 2012 18:00:32 +0000

Plesk Panel 10.x for Windows…
* http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-windows-updates-release-notes.html
15-Jul-2012 – “… Fixed critical Plesk security issues found during internal security audit. All customers are highly recommended to update…”

Plesk Panel 10.x for Linux…
- http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html
15-Jul-2012 – “… Fixed critical Plesk security issues found during internal security audit. All customers are highly recommended to update…”
.

By: PC.Tech

PC.Tech — Sun, 15 Jul 2012 16:56:34 +0000

- http://www.securitytracker.com/id/1027243
Jul 12 2012
CVE Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1557 – 7.5 (HIGH)
Impact: Disclosure of system information, Disclosure of user information, User access via network
Version(s): prior to 10.4.x
Solution: The vendor has issued a fix.
The fix also includes a Mass Password Reset Script that must be executed to remove existing sessions and prevent a recurrence.
The vendor’s advisory is available at:
- http://kb.parallels.com/en/113321

- https://secunia.com/advisories/48262
.

By: YC

YC — Sat, 14 Jul 2012 18:27:19 +0000

Hi Edosan,

Can you share with us some sample logs on how they grab the plesk passwords? I guess it will be much helpful for us in term of detection.

By: edosan

edosan — Fri, 13 Jul 2012 10:06:18 +0000

This latest report got me a bit twitchy as we got hit really bad In February. What we noticed from our logs was that the original wave of attacks were doing nothing more than grabbing plesk passwords. So once patched you then needed to block 8443, patch plesk, change all passwords(domain users, clients and admin) and then ensure users didn’t revert to old passwords. This was a LOT of effort and I’m guessing many ISPs probably didn’t really have a clue what was happening and didn’t resolve the issue logically. I suspect that this ‘tool’ probably has the large pricetag because it has access to a large database of previouslt exploited servers as well as trying the original sql injection attack on agent.php…

By: anon

anon — Fri, 13 Jul 2012 09:39:56 +0000

yes, exactly — easy to see it by ID/sequence

By: infodox

infodox — Thu, 12 Jul 2012 18:43:08 +0000

Alan – Hackers generally do not fire exploits around willy-nilly, as that is a GREAT way to get nailed by a honeypot or to cock up and get yourself arrested. It is much preferred to spend a second checking your target before you let loose…