Our friends over at Unmask Parasites posted two very good reports about a mix of Plesk vulnerabilities being used to mass-compromise websites, and redirecting them to the Blackhole Exploit Kit.
The first issue is that old versions of Plesk store passwords in clear text (yes, clear text in 2012). The second is a remote SQL vulnerability that has been found in old versions of Plesk allowing attackers to exploit those passwords.
clear text password + database dump = Mass password leaks
This has possibly allowed attackers to gain access to a large number of passwords and hosts/sites. We recommend reading those two posts to understand the issue:
First post: Millions of Website Passwords Stored in Plain Text in Plesk Panel
Second post: Runforestrun and Pseudo Random Domains
What to do?
If you are running Plesk, you need to update it ASAP! Once updated, you should change all your passwords. You just never know if they have been compromised already.
The good news is it appears that new versions of Plesk are now securely storing your passwords:
As of Plesk 11, no passwords are stored in plain text. Depending on the type of password, it is either one-way hashed or encrypted, each with a unique per-server salt or encryption key. – Source: Brian w/Plesk
Blackhole exploit kit
A large percentage of the sites we have seen compromised by this lead to the Blackhole Exploit Kit. It is often done via encoded JavaScript that changes very often, and varies from site to site. We have some examples here: Blackhole Exploit Kits.
If your site is compromised (or you think it is), we recommend scanning it with Sucuri SiteCheck.
5 comments
Comments are closed.