We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Plesk version> 10.4: vulnerability


S0phie
14-03-2012, 19:27
Hello,

A major vulnerability was discovered in Plesk, allowing full access to the panel. The versions from 7.6.1 to 10.3.1 are vulnerable. Versions 10.4 are not affected.

To find out if your server is vulnerable, see the following article: http://kb.parallels.com/en/113424

To apply the Plesk micro-updates, please follow this article: http://kb.parallels.com/en/9294

For more information: http://kb.parallels.com/en/113321

---------- Important ----------

It is strongly recommended to change all passwords for Plesk users and Admin account: http://kb.parallels.com/en/113391

Check and clean your server in case it would have been exploited:

1.) Delete the backdoor:
Delete all files in the /tmp directory on your server.
You should see files named 'u' or 'id' for example.

2.) Locate cgi and perl scripts
Type the following command: ls -al /var/www/vhosts/*/cgi-bin/*.pl .
You'll see in each cgi-bin folder of the file. .pl or .cgi with different names.
Example: preaxiad.pl, dialuric.pl, fructuous.pl .
Delete all these scripts if they are not yours.

3.) Secure your site:
Injections took place on wordpress, drupal and /or joomla. Make sure your sites use the very latest version of the CMS.
Disable via plesk panel in the hosting section the CGI-BIN option for sites that do not use this option.
Also change the ftp/sql password of your sites.

4.) Locate the source IP:
You can grep the name of script.pl in access_log of your site to find the IP that performed the injection.

For example:
zgrep 'preaxiad' /var/www/vhosts/VOTREDOMAINEICI/statistics/logs/access_log*
It should return a line like:
12.34.56.78 - - [01/Mar/2012:02:37:55 +0100] "GET /cgi-bin/preaxiad.pl HTTP/1.1" 200 181 "" "Opera/7.21 (Windows NT 5.2; U)"
Use the IP at the beginning of this line to see if other sites are affected.

Example:
zgrep 'ip.in.question.here' /var/www/vhosts/*/statistics/logs/access_log*

This will then return the list of logs to sites the script have been called.

---------- Get help ----------

Our team can take care of the verification / update of your server. To do so, please submit a ticket:
https://www.ovh.co.uk/support/declare_incident.xml

The intervention will be charged 80 VAT and includes:
- Removing scripts / backdoors
- Check the presence of the fault
- The microupdate and update of your plesk


Neil