Skip to main content

Mass website compromise arising from Parallels Plesk Panel vulnerabilities

Release Date: 19 Jul 2012 5122 Views

Recently, a webmaster request us for assistance, he found that the website's home page or .js files were injected with some malicious code by hackers. The malicious code directs the visitor to some unknown .ru website unknowningly. These websites contain a well-known "Blackhole Exploit Kit" attack code, it attempts to attack multilple vulnerabilities in visitor's system, including: Java, Adobe Flash Player, Adobe Reader, Windows Help Center etc (Note 1). If the attack is successful, it will download the malware to the affected system. We analyzed the malicious code in the compromised website and found that it was a large scale websites compromised using the vulnerable Parallels Plesk Panel. The estimated number of affected websites was tens of thousands.

 
 

Parallels Plesk Panel vulnerabilities

 
Parallels Plesk Panel is a website control panel software widely used by web hosting company. There are over 250,000 servers deployed this software globally. At present, in older versions of the software (version prior to 11) is still using unencrypted (plain text) format to store the password data. In late June, hackers discovered this weakness, and targetted this and another remote SQL vulnerability exploit to perform an attack. It may allow them to dump all the website account passwords in the server. In the beginning of July, hackers selling the exploit tool targetting for this vulnerability in web forum (Note 2).
 
Hackers exploit Parallels Plesk Panel vulnerabilities to steal website account password

Fig 1: Hackers exploit Parallels Plesk Panel vulnerabilities to steal website account password

 

Hackers injected the malicious code in the website of affected accounts

 
After hackers obtained the account password, they can log in to Parallels Plesk Panel and control  all websites in the server, including change the file content or replace the file. According to the log data, you found hackers come from several IP addresses and used Parallels Plesk Panel built-in function – File Manager to login a large number of websites in a server in a short period of time. And then upload or edit the files.
 
Log sample
Fig 2: Log sample
 
In the affected website, the below special crafted malicious code was found to be injected at the end of home page or .js files. At the beginning and end of code was surrounded by two notes,  / * km0ae9gr6m * /  and /*qhk6sa6g1c*/.
 
Malicious code sample (Source: unmaskparasites.com)
 Fig 3: Malicious code sample (Source: unmaskparasites.com)
 
On decoding the code (Note 3), we found this code will generate a new random .ru domain URL in every 12 hours according to the date and time.
 
http:// <randomly generated domain>.ru /runforestrun?sid=cx
 
Security researchers confirmed that hackers had pre-registered these domain names in advance for illegal activities. When a user's computer browses the website which is injected with this malicious code, it make a connection to the above .ru website unconsciously.The website contains the "Blackhole Exploit Kit" attack code, it may leads the user's computer infected with malware.
 

How to Protect

 
According to the data provided by Sucuri, the security company (Note 4), the estimated number of compromised websites are more than 50,000 websites, and the number is still increasing. In order to protect the webmasters or personal users to avoid being affected by the impact of the attacks, we have the following recommendations:
 

Steps for Webmasters

 
If the website is hosted on a Linux system, use "grep" command to vefity your webpage embedded with the malicious code or not
 
cd <vhost path>
grep -rl --include=*.{php,js,html,htm} "km0ae9gr6m" *
 
If the site is hosted on a Windows system, use "powershell" command to verify your webpage embedded with the malicious code or not
 
cd <vhost path>
get-childitem .\ -include *.asp,*.aspx,*.php,*.js,*.html,*.htm -rec | select-string -pattern "km0ae9gr6m"
 
If your webpages are injected with malicious code, please remove it manually from the webpages. Then, contact your Web Hosting Company and advise them to refer to the “Steps for Parallels Plesk Panel Administrator" below for handling.
 

Steps for Parallels Plesk Panel Administrators

 
If you are using Parallel Pleask Panel prior to version 11, and do not applied "113321" patch,  you can refer to the solution provided by Parallels (Note 5).
  1. Apply "113321" patch (http://kb.parallels.com/113321)
  2. Reset all passwords (http://kb.parallels.com/en/113391),e-mail password could be considered waived
  3. Remove sessions records from psa database
    mysql> delete from sessions;
  4. Remove the malicious code from the affected files in server (http://forum.parallels.com/showpost.php?p=630228&postcount=24)

Steps for Personal Users

  1. Install the security software and keep it updated
  2. Keep system software is the latest version