Plesk 0Day For Sale As Thousands of Sites Hacked
Hackers in the criminal underground are selling an exploit that extracts the master password needed to controlParallels’ Plesk Panel, a software suite used to remotely administer hosted servers at a large number of Internet hosting firms. The attack comes amid reports from multiple sources indicating a spike in Web site compromises that appear to trace back to Plesk installations.
A hacker selling access to a Plesk exploit.
A miscreant on one very exclusive cybercrime forum has been selling the ability to hack any site running Plesk Panel version 10.4.4 and earlier. The hacker, a longtime member of the forum who has a history of selling reliable software exploits, has even developed a point-and-click tool that he claims can recover the admin password from a vulnerable Plesk installation, as well as read and write files to the Plesk Panel (see screen shot at right).
The exploit is being sold for $8,000 a pop, and according to the seller the vulnerability it targets remains unpatched. Multiple other members appear to have used it and vouched for its value.
It’s unclear whether this claimed exploit is related to a rash of recent attacks against Plesk installations. Sucuri Malware Labs, a company that tracks mass Web site compromises, told SC Magazine that some 50,000 sites have recently been compromised as part of a sustained malware injection attack, and that a majority of the hacked sites involved Plesk installations.
“What is interesting is that most of our clients always used to be using CMSs (like WordPress, Joomla, etc), but lately we are seeing such a large number of just plain HTML sites getting compromised and when we look deeper, they are always using Plesk,” Sucuri’s Daniel Cid said in a follow-up interview with KrebsOnSecurity.com.
In a detailed blog post last month about a new technological advancement in BlackHole exploit kits, malware researcher Denis Sinegubko examined more than a dozen sites that were seeded with the newer BlackHole kits. He discovered that the common link was Plesk, and said the culprit was likely a now-patched security holein Plesk versions prior to 10.4.
A hacker selling access to a Plesk exploit.The exploit is being sold for $8,000 a pop, and according to the seller the vulnerability it targets remains unpatched. Multiple other members appear to have used it and vouched for its value.
It’s unclear whether this claimed exploit is related to a rash of recent attacks against Plesk installations. Sucuri Malware Labs, a company that tracks mass Web site compromises, told SC Magazine that some 50,000 sites have recently been compromised as part of a sustained malware injection attack, and that a majority of the hacked sites involved Plesk installations.
“What is interesting is that most of our clients always used to be using CMSs (like WordPress, Joomla, etc), but lately we are seeing such a large number of just plain HTML sites getting compromised and when we look deeper, they are always using Plesk,” Sucuri’s Daniel Cid said in a follow-up interview with KrebsOnSecurity.com.
In a detailed blog post last month about a new technological advancement in BlackHole exploit kits, malware researcher Denis Sinegubko examined more than a dozen sites that were seeded with the newer BlackHole kits. He discovered that the common link was Plesk, and said the culprit was likely a now-patched security holein Plesk versions prior to 10.4.
0 comments:
Post a Comment