Great… Nice start to the day, received an email from Parallels regarding a vulnerability within all Plesk Panel versions below 10.4 which allow anonymous access to the server!
In a nutshell – if your server is running below 10.4 – you are at risk and MUST update. I have 3 Plesk servers, 10.4 / 9.5.4 / 8.6.0 – so I was able to carry out the “Micro updates” (MU), versions other than this required a manual patch (unless you opt to go upto the highest subversion to get the MU).
The manual patch
cd /tmp wget http://kb.parallels.com/Attachments/18827/Attachments/api.tar.gz gzip -d api.tar.gz tar -xf api.tar cp /usr/local/psa/admin/plib/api-rpc/Agent.php /usr/local/psa/admin/plib/api-rpc/Agent.php.backup cp api/plesk-9.3/Agent.php /usr/local/psa/admin/plib/api-rpc/Agent.php
Patching through Micro-Updates
Much easier! Simply log on to your Plesk Panel and go to Updates, and update your current version. Once updated, you will need to check the MicroUpdate version
Which will return your MU version as ‘patch version’
<!--?xml version="1.0" encoding="UTF-8" standalone="yes" ?--> <patches> <product id="plesk" version="9.5.4"> <patch version="17" timestamp="" /> </product> </patches>
If you receive an error, you are no using Micro Updates – as you must be on 8.6.0, 9.5.4 or 10.x – fixes are provided by the Micro-Updates listed below:
- 8.6.0 for Linux only MU#2 – http://kb.parallels.com/en/112181
- 9.5.4 for Linux only MU#11 – http://kb.parallels.com/en/112179
- 10.0.1 for Linux and Windows MU#13 – http://kb.parallels.com/en/113322
- 10.1.1 for Linux and Windows MU#22 – http://kb.parallels.com/en/113323
- 10.2.0 for Linux and Windows MU#16 – http://kb.parallels.com/en/113324
- 10.3.1 for Linux and Windows MU#5 – KB is absent
Checking to see if you have been attacked / infected
Ok – so you have patched your server, the hacker can’t get in again – so now we need to tidy up any files which may have been added. In my case I found 13 rogue perl scripts within cgi-bin folder of different domains. Each file had a random filename eg. motherboard.pl / preconnective.pl / etc. and contained surprisingly well documented code (for a trojan!) even telling me its origin on the first line “
#part of the Gootkit ddos system“.
So first off, we will find and list ANY perl scripts within your servers webhosting files :
cd /var/www find * -iname '*.pl' -ls
After producing this list, make a note of any rogue files, investigate each one – and DELETE! This however will not stop the process running if it has already launched, so you will also need to check for any of the previously listed rogue scripts running as processes.
Find and kill any rogue perl scripts:
ps aux | less
It might be easier to find the perl scripts by using grep to reduce the amount of processes to look through:
ps aux | grep .pl
This will list the running processes, which we need to do to find the PID to kill (I have omitted my genuine scripts):
domain 5369 0.0 0.2 41040 5928 ? S 13:12 0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal domain 6309 0.0 0.2 41040 5924 ? S 13:18 0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal domain 9807 0.0 0.2 41040 5924 ? S 13:45 0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal domain 13955 0.0 0.2 41040 5924 ? S 14:19 0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal domain 14520 0.0 0.2 41040 5920 ? S 14:23 0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal
Now to kill off all those processes :
kill 5369 kill 6309 kill 9807 kill 13955 kill 14520
All done. Now sit back, take a deep breath – and wait for the next stage of the hacker/patch cat and mouse game…!