Botnet using Plesk vulnerability and takedown

Parallels Plesk

Today while investigating the Plesk/Apache Remote Code Execution vulnerability disclosed by Kingcope, we uncovered what appeared to be a sizeable botnet leveraging this vulnerability to infect webservers with a malicious IRC bot written in Perl; a loosely modified version of a publicly known tool.

A large list of hosts believed to be infected was generated from the data gathered, and probed in an automated fashion for vulnerable Plesk installations. Over 900 hosts attempting to connect were running vulnerable Plesk installations, confirming our suspicion that the Plesk exploit was how this malware was spreading; based on our estimates, about 40 hosts were being infected an hour, which we found intolerable.

Source

Supposed zero-day exploit for Plesk

Plesk

The hacker known as KingCope has taken to the security mailing list Full Disclosure to publish what seems to be a zero-day exploit for Plesk, the hosting software package made by Parallels. KingCope says that the exploit uses specially prepared HTTP queries to inject PHP commands and that he has successfully tested it on Plesk 9.5.4, 9.3, 9.2, 9.0 and 8.6 on Red Hat, CentOS and Fedora. Version 11.0.9 is apparently not affected.


The hacker seems to have found a way to use a POST request to launch the PHP interpreter with any configuration parameters that an attacker may want; the interpreter can then be made to carry out any command at will. The exploit uses the requested URL to start the interpreter with the desired parameters (say, "safe_mode=off"), and the PHP code that is to be executed is in the data portion of the request.

Source »