Marc-NL
15-03-12, 11:07
Hello,
A major vulnerability was discovered in Plesk, allowing full access to the panel. The versions from 7.6.1 to 10.3.1 are vulnerable. Versions 10.4 are not affected.
To find out if your server is vulnerable, see
The following article: http://kb.parallels.com/en/113424
To apply the micro-updates Plesk, please follow the article
next : http://kb.parallels.com/en/9294
For more information: http://kb.parallels.com/en/113321
---------- Important ----------
It is strongly recommended to change all passwords
for Plesk users and Admin account:
http://kb.parallels.com/en/113391
Check and clean your server in case it would have been exploited:
1.) Delete the backdoor:
Delete all files in the / tmp directory on your server.
You should see files named 'u' or 'id' for example.
2.) Locate cgi and perl scripts
Type the following command: ls -al /var/www/vhosts/*/cgi-bin/*.pl .
You'll see in each cgi-bin folder of the file. .pl ou .cgi avec
Different names.
Exemple: preaxiad.pl, dialuric.pl, fructuous.pl .
Delete all these scripts if they are not yours.
3.) Secure your site:
Injections took place on wordpress, drupal and /or joomla. Make sure your sites use the very last version of the CMS.
Disable via plesk panel in the hosting the CGI-BIN option for sites that do not use this option.
Also change the password of ftp/sql sites.
4.) Locate the source IP:
You can grep the name of script.pl in access_log
your site to find the IP that performed the injection.
For example:
zgrep 'preaxiad' /var/www/vhosts/VOTREDOMAINEICI/statistics/logs/access_log*
It should return a line like:
12.34.56.78 - - [01/Mar/2012:02:37:55 +0100] "GET /cgi-bin/preaxiad.pl HTTP/1.1" 200 181 "" "Opera/7.21 (Windows NT 5.2; U)"
Use the IP at the beginning of this line to see if other sites are affected.
Exemple:
zgrep 'ip.en.question.ici' /var/www/vhosts/*/statistics/logs/access_log*
This will then return the list of logs to sites the script have been called.
---------- Get help ----------
Our team can support verification / implementation?
Your server. For this you can open a ticket incident
https://www.ovh.co.uk/support/declare_incident.xml
The intervention will be charged £80 VAT ( or equivalent in Euro) and includes:
- Removing scripts / backdoors
- Check the presence of the fault
- The microupdate and update your plesk
A major vulnerability was discovered in Plesk, allowing full access to the panel. The versions from 7.6.1 to 10.3.1 are vulnerable. Versions 10.4 are not affected.
To find out if your server is vulnerable, see
The following article: http://kb.parallels.com/en/113424
To apply the micro-updates Plesk, please follow the article
next : http://kb.parallels.com/en/9294
For more information: http://kb.parallels.com/en/113321
---------- Important ----------
It is strongly recommended to change all passwords
for Plesk users and Admin account:
http://kb.parallels.com/en/113391
Check and clean your server in case it would have been exploited:
1.) Delete the backdoor:
Delete all files in the / tmp directory on your server.
You should see files named 'u' or 'id' for example.
2.) Locate cgi and perl scripts
Type the following command: ls -al /var/www/vhosts/*/cgi-bin/*.pl .
You'll see in each cgi-bin folder of the file. .pl ou .cgi avec
Different names.
Exemple: preaxiad.pl, dialuric.pl, fructuous.pl .
Delete all these scripts if they are not yours.
3.) Secure your site:
Injections took place on wordpress, drupal and /or joomla. Make sure your sites use the very last version of the CMS.
Disable via plesk panel in the hosting the CGI-BIN option for sites that do not use this option.
Also change the password of ftp/sql sites.
4.) Locate the source IP:
You can grep the name of script.pl in access_log
your site to find the IP that performed the injection.
For example:
zgrep 'preaxiad' /var/www/vhosts/VOTREDOMAINEICI/statistics/logs/access_log*
It should return a line like:
12.34.56.78 - - [01/Mar/2012:02:37:55 +0100] "GET /cgi-bin/preaxiad.pl HTTP/1.1" 200 181 "" "Opera/7.21 (Windows NT 5.2; U)"
Use the IP at the beginning of this line to see if other sites are affected.
Exemple:
zgrep 'ip.en.question.ici' /var/www/vhosts/*/statistics/logs/access_log*
This will then return the list of logs to sites the script have been called.
---------- Get help ----------
Our team can support verification / implementation?
Your server. For this you can open a ticket incident
https://www.ovh.co.uk/support/declare_incident.xml
The intervention will be charged £80 VAT ( or equivalent in Euro) and includes:
- Removing scripts / backdoors
- Check the presence of the fault
- The microupdate and update your plesk