A few days ago we published a post about the Plesk 0-day vulnerability that we started to see being probed in the wild. It uses an incorrect configuration in Plesk 9.0-9.2 that allows anyone to access the PHP binary from inside phppath (phppath/php) and execute remote commands on the server.
However, it looks like this vulnerability has been known for a while in the underground and being used by attackers to compromise Plesk-based servers.
Timeline of a 0-day
This is the original timeline we have since the release of the vulnerability:
- 2013/Jun/05 – Kingcope disclosed the vulnerability on full disclosure.
- 2013/Jun/06 – Parallels (the company behind Plesk) issued a patch.
- 2013/Jun/10 – We released a post with initial data that we started to see with the big influx of attackers scanning for this vulnerability on the wild. The first hit we saw was on June 8th and it grew on June 9th, and is still going.
That’s a very normal timeline for 0-days. Parallels responded very fast (within 1 day) and issued a patch. After a few days, the attackers modified their bots to start looking for this vulnerability and compromising servers.
Real probes for this vulnerability started earlier
However, that timeline is not fully accurate. As we went back to our logs and previous data, we noticed a few hits for “/phppath/php” in May of 2013. As we searched further back, we found scans as far back as April:
/var/ossec/logs/alerts/2013/May/ossec-alerts-18.log.gz:82.195.x.x – – [18/May/2013:22:11:38 -0400] “GET /phppath/php HTTP/1.0” 404 209 “-” “-”
/var/ossec/logs/alerts/2013/Apr/ossec-alerts-21.log.gz:91.224.x.x – – [21/Apr/2013:01:58:33 -0400] “POST /phppath/php?-d+allow_url_include..
All the scans were looking for that specific file (/phppath/php) that would allow them to exploit this vulnerability. Here is an error we found in an Apache error_log:
[Mon Feb 18 23:53:41 2013] [error] [client 85.114.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /phppath/php
[Sun Feb 17 04:17:50 2013] [error] [client 69.84.x.x] File does not exist: /home/clientsite/public_html/phppath/php
So we can see it being probed since February, months before it was released. We are still investigating, but if you have a server, try to search for “/phppath/php” in the logs. We are looking for more data to see when it really became known and started to be probed.