Plesk Zero Day Exploit
POSTED ON WEDNESDAY, JULY 11, 2012 AT 6:14 PM
To Plesk or not to Plesk, that is the question. Or is it? On the morning of Thursday June 21st, 2012, I received an e-mail message from one of our web design clients asking if their website had somehow been "corrupted". This e-mail couldn't have come at a worse time.
I was just on my way out the door to do an all-day-long Macintosh computer installation which involved taking an old Power Mac G5 offline, installing a brand new Mid 2011 iMac in its place, upgrading the RAM and doing a complete data transfer along with new software installations (Adobe Creative Suite CS6 and the works). Needless to say, I had my hands full. Upon checking out our client's website, this is what I saw:
Corrupted? How about hacked? Clicking on any of the buttons (or on the link which we blurred out in the above screenshot) led to a dot "ru" (Russian) website which obviously isn't worth mentioning here.
How did this happen? Never mind all the WordPress hacking that's been going on over the past few years. This was a Parallels Plesk Panel exploit which allowed hackers to extract administrative master passwords. According to a Parallels Security Advisory, any website running Plesk Panel version 10.4 and earlier appears to be vulnerable although the company states that the security vulnerability claims are "yet unsubstantiated."
What the hack (I mean heck) is Plesk? Parallels Plesk Panel is used by web hosting companies and allows administrators (aka: web hosts) to set up new websites and e-mail accounts through a web-based interface. Website owners can then log into their Plesk management system to manage certain functions of their website. Do I like it? No. Plesk has got to be one of the most confusing systems on planet earth for the average end-user to understand — totally unintuitive and non-user-friendly. In fact, it's archaic. And the exploit came as no surprise to me at all.
Starting at 7:00 PM on Thursday June 21st, 2012 and ending at 10:30 AM on Monday June 25th, 2012, all I did was monitor our clients' websites every hour — deleting all of the infected files and replacing them with fresh, clean copies (ftp'ing into each website and looking at the file modification dates was the key). That was the easy part although I lost three and a half days of my life to Fetch (not to mention missing out on the first beautiful sunny, summer weekend here in Vancouver after about six months straight of rain).
The worst part of this whole fiasco? The web hosting firm which all of these websites were hosted with turned a blind eye to the situation and literally walked away from it for the entire weekend (the first weekend of summer — it's party time, folks!). Even though I notified them immediately after receiving my client's e-mail message, they didn't do a darned thing about it until the late morning of Monday June 25th, 2012 (notice that I said late morning — 'must have been a rough weekend). I wouldn't doubt for a moment that they knew all about the vulnerability but it appears as though they never bothered to apply the recommended patch until they were left with no choice.
What this web host failed to acknowledge (let alone understand during my discussions with them) was the fact that if any of these websites would have been crawled at the very same moment they had been infected, there's a very good chance that the websites would have been thrown right out of the search indexes. Gone from the major search engines due to malware.
In this day and age of Internet Security — with security bulletins and patches available with the simple click of a mouse, this kind of stuff just shouldn't happen but when a company runs a server farm and takes off for the first weekend of summer, I guess you have to expect it to happen. As a result, we moved all but two of the affected clients' websites to a completely new web hosting company (and no — they don't use Plesk).
Many Plesk users on the Parallels Forum are now reporting that their servers are still being compromised after updating to the latest version of the software. Upon researching the exploit today, some sources are indicating that over 50,000 websites have recently been compromised.
As a "consumer", if you happen to use Plesk to manage your website (creating and deleting e-mail addresses, for example), you might just want to take a good, close look at your website to see if you've been affected. You may also wish to contact your web host to see if they're aware of the problem and if they've taken the appropriate steps to protect your website.
Referring back to the Are You Being Served? blog we did in September of 2010, I should have seen this coming. Maybe some of these web hosting firms should consider investing in a copy of Mac OS X Server.
[Updated 07.21.12] To add insult to injury, the exact same client who e-mailed me on June 21st, 2012, sent me another e-mail this afternoon asking what was wrong their website again (exactly one month to the date). After landing on their website, this is what I was greeted with:
A Plesk Web Server Default Page — note the part circled in red which says "you see this page because there is no web site at this address." Excuse me? Yes, there is a website hosted at this address but it looks like the hosting company took the weekend off again after updating their server. Unfortunately, this "website" happens to belong to one of only two clients who didn't switch web hosts after the hacking fiasco.
Sites Recently Completed Or Updated
Move your mouse over a link below for a web site design preview. Click on a link to visit a web site: