Start a Chat Sales: 0800 862 0890 Client Area
Results 1 to 3 of 3

Thread: Remote vulnerability in Plesk Panel

  1. 05-07-12, 01:54 AM #1
    Whuk - Chris's Avatar
    Whuk - Chris
    Whuk - Chris is offline Member
    Join Date
    May 2010
    Location
    ◄HIDDEN
    Posts
    33

    Default Remote vulnerability in Plesk Panel

    A recent Remote vulnerability in Plesk Panel has been discovered.

    We suspect the client login's with weak passwords have been compromised due to this vulnerability.

    Later injection attack's have been carried out on the compromised accounts by editing the files of the domains using File Manager option in the control panel.

    The script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:




    On Google diagnostic pages of infected sites you will currently see something like this

    Malicious software is hosted on 2 domain(s), including ctonxidjqijsnzny .ru/, znycugibimtvplve .ru/.
    or the infected wesites may be blocked and may display "Reported Attack Site".


    Parallels have released security patches and hot-fixes for this vulnerability and patches have been already applied on all our shared servers.

    For our VPS and Dedicated servers :

    You may find the patch and instructions to apply them on your servers :

    Plesk Patch - Article ID: 113321

    *Note: if you face any issues while applying patch on your server, you may contact support, we will do this for you.


    **Secondly, we would suggest you to reset the Plesk Control Panel logins and FTP login details to a strong one as soon as possible as a precautionary measure.**

    You can also check the "Action Logs" of your plesk control panel to see if there were any malicious login to your plesk control panel :

    Plesk 8.6 : Log into Plesk using Admin login >> Select Servers from left pane >> Select "Action Log"

    Plesk 9.x : Log into Plesk using Admin login >> Select Settings from left pane >> Select "Action Log"

    Plesk 10.x/11.x : Log into Plesk using Admin login >> Select Settings under server management >> Select "Action Log"


    If you see multiple logins from Malicious IP, you can report the IP to our support department, we will block that on your server.


    For sites that have been already infected and Displaying Reported Attacked Site!

    Malware code has been injected in the website. You would need to contact your developer and scan the pages of the website manually for the malware code and remove the malware code.

    Alternatively you can scan the website via online scanner ( like Ensure Your Website Security Online with WebsiteDefender etc ) to get the list of infected pages of the website.
    once your website is clean, you can then file a review request from your Google's Webmaster Account.


    Further Reading : here
    Regard's
    Chris
    Windows Support Team
    Reply With Quote Reply With Quote
  2. 09-07-12, 12:56 PM #2
    jazzy639
    jazzy639 is offline new member
    Join Date
    Sep 2009
    Posts
    2

    Default

    Still having this issue on 91.186.0.11. I changed all my passwords on Wednesday 04/07/2012 after suffering from this and the code has now been injected again today at 12:09 PM.

    This is what I was told over LiveChat....

    Hi Chris

    As per this thread: webhosting*uk*com/forums/windows-shared-hosting/9123-fao-chris-plesk-vulnrability.html

    Domain name is fieldsandco.co.uk



    This is what I was told over live chat:

    Stephen: your account is hosted on shared server environment , there are many other clients hosting their websites on the same server
    Stephen: All clients are aware of the latest plesk vulnerability (so do us ... and the plesk patch has been applied as well)
    Stephen: only applying patch is not a complete solution for this issue
    Stephen: as you have reset passwords of your account (which we appreciate)
    Stephen: but there are other clients who have not yet change/reset their account passwords which is causing the injection
    Please can you look at this urgently?
    Reply With Quote Reply With Quote
  3. 11-07-12, 03:02 PM #3
    sysadmin's Avatar
    sysadmin
    sysadmin is offline Administrator
    Join Date
    Oct 2006
    Posts
    310

    Default

    Quote Originally Posted by jazzy639 View Post
    Still having this issue on 91.186.0.11. I changed all my passwords on Wednesday 04/07/2012 after suffering from this and the code has now been injected again today at 12:09 PM.

    This is what I was told over LiveChat....



    Please can you look at this urgently?
    Hi,

    We've applied those said patches provided by Plesk & have tightened the server security too. We request you to download all website content on your local system, scan it with latest updated antivirus and reupload it. Chances are that your site was injected (code injected) before we applied the patches & that needs to be cleaned. If you have a good copy of your site please upload it after you've changed the password of all of your accounts. Please get in touch with our Live Chat support if you need any assistance..
    Regards,
    Jack Daniel.

    [URL="http://www.webhosting.uk.com/cloud-hosting.php"]Cloud Hosting [/URL] ||[URL="http://www.webhosting.uk.com/dedicated-servers-web-hosting.php"] Managed Dedicated Server [/URL] || [URL="http://www.webhosting.uk.com/web-hosting/faq/"]Webhosting UK Knowledgebase[/URL]
    Reply With Quote Reply With Quote
« Billing and Support System Maintenance | Webhosting UK Forum Theme »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

    WHUK
    Accept Cookies?
Copyright 2001-2013 Web Hosting UK. All rights reserved.