Plesk Vulnerability Leading to Malware

Our friends over at Unmask Parasites posted two very good reports about a mix of Plesk vulnerabilities being used to mass-compromise websites, and redirecting them to the Blackhole Exploit Kit.

The first issue is that old versions of Plesk store passwords in clear text (yes, clear text in 2012). The second is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.

clear text password + database dump = Mass password leaks

This has possibly allowed attackers to gain access to a large number of passwords and hosts/sites. We recommend reading those two posts to understand the issue:

First post: Millions of Website Passwords Stored in Plain Text in Plesk Panel

Second post: Runforestrun and Pseudo Random Domains

What to do?

If you are running Plesk, you need to update it ASAP! Once updated, you should change all your passwords. You just never know if they have been compromised already.

The good news is it appears that new versions of Plesk are now securely storing your passwords:

As of Plesk 11, no passwords are stored in plain text. Depending on the type of password, it is either one-way hashed or encrypted, each with a unique per-server salt or encryption key. – Source: Brian w/Plesk

Blackhole exploit kit

A large percentage of the sites we have seen compromised by this lead to the Blackhole Exploit Kit. It is often done via encoded JavaScript that changes very often, and varies from site to site. We have some examples here: Blackhole Exploit Kits.

If your site is compromised (or you think it is), we recommend scanning it with Sucuri SiteCheck.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site or on Twitter: @danielcid