Plesk Vulnerability – In the Wild for Months Before Disclosure

A few days ago we published a post about the Plesk 0-day vulnerability that we started to see being probed in the wild. It uses an incorrect configuration in Plesk 9.0-9.2 that allows anyone to access the PHP binary from inside phppath (phppath/php) and execute remote commands on the server.

However, it looks like this vulnerability has been known for a while in the underground and being used by attackers to compromise Plesk-based servers.

Timeline of a 0-day

This is the original timeline we have since the release of the vulnerability:

  1. 2013/Jun/05 – Kingcope disclosed the vulnerability on full disclosure.
  2. 2013/Jun/06 – Parallels (the company behind Plesk) issued a patch.
  3. 2013/Jun/10 – We released a post with initial data that we started to see with the big influx of attackers scanning for this vulnerability on the wild. The first hit we saw was on June 8th and it grew on June 9th, and is still going.

That’s a very normal timeline for 0-days. Parallels responded very fast (within 1 day) and issued a patch. After a few days, the attackers modified their bots to start looking for this vulnerability and compromising servers.

Real probes for this vulnerability started earlier

However, that timeline is not fully accurate. As we went back to our logs and previous data, we noticed a few hits for “/phppath/php” in May of 2013. As we searched further back, we found scans as far back as April:

/var/ossec/logs/alerts/2013/May/ossec-alerts-18.log.gz:82.195.x.x – – [18/May/2013:22:11:38 -0400] “GET /phppath/php HTTP/1.0″ 404 209 “-” “-”
/var/ossec/logs/alerts/2013/Apr/ossec-alerts-21.log.gz:91.224.x.x – – [21/Apr/2013:01:58:33 -0400] “POST /phppath/php?-d+allow_url_include..

All the scans were looking for that specific file (/phppath/php) that would allow them to exploit this vulnerability. Here is an error we found in an Apache error_log:

[Mon Feb 18 23:53:41 2013] [error] [client 85.114.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /phppath/php
[Sun Feb 17 04:17:50 2013] [error] [client 69.84.x.x] File does not exist: /home/clientsite/public_html/phppath/php

So we can see it being probed since February, months before it was released. We are still investigating, but if you have a server, try to search for “/phppath/php” in the logs. We are looking for more data to see when it really became known and started to be probed.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • Jim Dominic

    Recent entries from our log:

    91.224.160.25 – – [07/Jun/2013:21:56:19 +0400] “GET /php-my-admin/index.php HTTP/1.1″ 403 1654 – Mozilla/5.0 (Windows NT 5.0; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
    91.224.160.25 – – [07/Jun/2013:21:56:20 +0400] “GET /php-myadmin/index.php HTTP/1.1″ 403 1654 – Mozilla/5.0 (Windows NT 5.0; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
    91.224.160.25 – – [07/Jun/2013:21:56:20 +0400] “GET /webdb/index.php HTTP/1.1″ 403 1654 – Mozilla/5.0 (Windows NT 5.0; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
    91.224.160.25 – – [07/Jun/2013:21:56:20 +0400] “GET /webadmin/index.php HTTP/1.1″ 403 1654 – Mozilla/5.0 (Windows NT 5.0; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
    91.224.160.25 – – [07/Jun/2013:21:56:20 +0400] “POST /?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2f%2finput+-n HTTP/1.1″ 403 1654 – Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_7) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.813.0 Safari/535.1
    91.224.160.25 – – [07/Jun/2013:21:56:20 +0400] “POST /phppath/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin.simulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2f%2finput+-n HTTP/1.1″ 403 1654 – Mozilla/5.0 (U; Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0

  • http://www.kizi1.org/ Kizi 1

    It will be very difficult if we do not find out its problems

  • http://baneki.com/ Baneki Privacy Labs

    We checked two of our machines, and we found, respectively:

    access_log:66.175.122.228 – – [10/Jun/2013:01:04:07 +0000] “GET //phppath/php HTTP/1.1″ 302 289
    access_log:88.208.206.74 – – [11/Jun/2013:08:13:32 +0000] “GET /phppath/php HTTP/1.0″ 302 299

    – and –

    205.207.165.210 – – [09/Jun/2013:18:26:36 -0400] “GET /phppath/php HTTP/1.0″ 404 209 “-” “-”
    94.23.204.157 – – [09/Jun/2013:20:03:02 -0400] “GET //phppath/php HTTP/1.1″ 404 209 “-” “Mozilla/5.0 (Windows NT 6.1)”
    91.121.71.114 – – [16/Jun/2013:00:06:09 -0400] “GET /phppath/php HTTP/1.1″ 404 209 “-” “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
    5.0)”
    69.84.41.201 – – [07/Jun/2013:07:28:13 -0400] “GET /phppath/php HTTP/1.0″ 404 209 “-” “-“