Categories
HowTo Guides Linux Plesk

Plesk API vulnerability – allow anonymous hacker

Great… Nice start to the day, received an email from Parallels regarding a vulnerability within all Plesk Panel versions below 10.4 which allow anonymous access to the server!

http://kb.parallels.com/en/113321

In a nutshell – if your server is running below 10.4 – you are at risk and MUST update. I have 3 Plesk servers, 10.4 / 9.5.4 / 8.6.0 – so I was able to carry out the “Micro updates” (MU), versions other than this required a manual patch (unless you opt to go upto the highest subversion to get the MU).

The manual patch

cd /tmp
wget http://kb.parallels.com/Attachments/18827/Attachments/api.tar.gz
gzip -d api.tar.gz
tar -xf api.tar
cp /usr/local/psa/admin/plib/api-rpc/Agent.php /usr/local/psa/admin/plib/api-rpc/Agent.php.backup
cp api/plesk-9.3/Agent.php /usr/local/psa/admin/plib/api-rpc/Agent.php

Patching through Micro-Updates

Much easier! Simply log on to your Plesk Panel and go to Updates, and update your current version. Once updated, you will need to check the MicroUpdate version

cat /root/.autoinstaller/microupdates.xml

Which will return your MU version as  ‘patch version’

<!--?xml version="1.0" encoding="UTF-8" standalone="yes" ?-->
<patches>
<product id="plesk" version="9.5.4">
<patch version="17" timestamp="" />
</product>
</patches>

If you receive an error, you are no using Micro Updates – as you must be on 8.6.0, 9.5.4 or 10.x – fixes are provided by the Micro-Updates listed below:

Checking to see if you have been attacked / infected

Ok – so you have patched your server, the hacker can’t get in again – so now we need to tidy up any files which may have been added. In my case I found 13 rogue perl scripts within cgi-bin folder of different domains. Each file had a random filename eg. motherboard.pl / preconnective.pl / etc. and contained surprisingly well documented code (for a trojan!) even telling me its origin on the first line “#part of the Gootkit ddos system“.

So first off, we will find and list ANY perl scripts within your servers webhosting files :

cd /var/www
 find * -iname '*.pl' -ls

After producing this list, make a note of any rogue files, investigate each one – and DELETE! This however will not stop the process running if it has already launched, so you will also need to check for any of the previously listed rogue scripts running as processes.

Find and kill any rogue perl scripts:

ps aux | less

It might be easier to find the perl scripts by using grep to reduce the amount of processes to look through:

ps aux | grep .pl

This will list the running processes, which we need to do to find the PID to kill (I have omitted my genuine scripts):

domain&nbsp; 5369  0.0  0.2  41040  5928 ?        S    13:12   0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal
domain&nbsp; 6309  0.0  0.2  41040  5924 ?        S    13:18   0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal
domain&nbsp; 9807  0.0  0.2  41040  5924 ?        S    13:45   0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal
domain 13955&nbsp; 0.0  0.2  41040  5924 ?        S    14:19   0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal
domain 14520&nbsp; 0.0  0.2  41040  5920 ?        S    14:23   0:00 /usr/bin/perl /var/www/vhosts/domain.co.uk/cgi-bin/impends.pl normal

Now to kill off all those processes :

kill 5369
kill 6309
kill 9807
kill 13955
kill 14520

All done. Now sit back, take a deep breath – and wait for the next stage of the hacker/patch cat and mouse game…!

By Mik Canavan

I'm a tech obsessed and self-confessed geek. As the Technical Director at Fivenines UK, I'm lucky that I get to faf with gadgets, design websites and fix servers...

4 replies on “Plesk API vulnerability – allow anonymous hacker”

Just a few additions to this:

– Some attackers are uploading .cgi files (not just .pl)

– The scripts add cron-jobs to keep the attacks going (check the crontabs in /var/spool/cron/ for references to detaching Perl processes and “X11-unix” which will highlight what these scripts create.

– They also create some files in /tmp specifically ua, ua2 and X11-unix (file pretending to be related to X11 but really isn’t).

Do you know how I can do the manual update for 8.6.0? I have 3 of the servers I have won’t do plesk update via the updater or the autoinstaller. Your manual patch steps are great except that file doesn’t have 8.6.0 which I need, and the link for the MU#2 doesn’t have any links for it. But is there a file I can manually grab that has the patch files for 8.6.0?

Thanks

Hi Sean – I had a similar issue, 8.6.0 Plesk Control Panel would not run the updater – so reinstalled the PSA updater.

I downloaded a new psa-autoinstaller-3.6.1-110415.10.i386.rpm RPM from here: http://autoinstall.plesk.com/PSA_8.6.0/dist-rpm-CentOS-5-i386/opt/updater/
(however you may need to modify the OS version depending upon what you use – just go up a couple of levels if you need to choose a different distro)

Then upgrade it using:

rpm -Uv psa-autoinstaller-3.6.1-110415.10.i386.rpm

I was then able to use the “Update” function in the control panel to update everything else.

Hope this helps!!

Leave a Reply

Your email address will not be published. Required fields are marked *