Parallels has just released that there is a SQL injection security vulnerability in some older versions of Plesk. This vulnerability is considered by Parallels to be critical in nature and we recommend that you install this update.

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, Parallels recommends that you update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 - Update to Plesk 9.5.4 MicroUpdate #11 or later
Update Instructions: here

Plesk 8 - Update to Plesk 8.6.0 MicroUpdate #2 or later
Update Instructions: here

We will be adding in a proxying function into ASL so that can put all your web guis behind ASL's web firewall in 3.0.20 or 21 of ASL, so vulnerabilities in any web control panel can be automatically protected against.

Its the upgrade on the ART plesk repo's? or i need to upgrade from parallels?

parallels - login to plesk and do it from updater, or you can do it from command line via autoinstaller.

Unfortunately we cant push this one, since they used the out of band "micro" updater

I don't actually know of these notes are correct or not, but I draw your attention to:



Our 8.6 installations are on MU9 or MU10, implying this is an OLD issue in some way.
I only know this from the email sent by the updater script on completion. I can't see a way to find the MU installed in 8.6 in any other way. Why can't they give us a Build version to compare against?

These notes came verbatim from Parallels. Those are their instructions, so it could be an error in their alert, it could be an OLD vulnerability or maybe their versioning system is a bit wonky? Either way, they only published this last night so it may be brand spanking new, so just to be safe we recommend you make sure you are on the latest for 8 (or if you are using 9, or 10 the latest for them too)

And since those are un-versioned, short of getting some md5sums of the various files its not very easy to know if the fix is in place or not.

-50 DKP!

For Plesk 8.6, there is a note at the bottom of this KB article (http://kb.parallels.com/9294) that says your psa-autoinstaller needs to be 3.6.1 to support the Micro Update functionality. Then the autoinstaller in the panel shows the psa base update.

Good news there, we added in 8.6 support to the Plesk WAF on friday. Plus a whole mountain of clam sigs specific to what the badguys are using. I really need to do a bigger post about what we've disected from this attack, but I'l give you the short version now.

Attack comes in 2 stages. The initial recon happened in january. During that time the attackers dumped vulnerable Plesk username & password databases. They did that because they expected people to patch the system, and assume the problem was over with. Then they hit it with an SQL injection that uploaded the malware about a week later. When that stops working, they come back with the user credentials they grabbed back in january, and upload the malware via the Plesk filemanager.

So, we added in the WAF for plesk, this gets the sql injection & adds the clamav upload scanning to the filemanager. The upload scanner gets the malware they use through the username/password credentials.

That's really good news.

Just an update for people using 8.6 (and 8.4 and earlier) so they don't panic too much:

IF YOU HAVE PLESK 8.6:
If you have been keeping your Plesk install even slightly up to date, you'll not have the vulnerable version of the file in question installed. It was, as has been discussed, fixed in MU2, and we are now on MU10. MU2 was released a very long time ago.

IF YOU HAVE PLESK 8.x (earlier than 8.6):
You may need to manually update a certain file. Plesk versions earlier than 8.6 do not *appear* to have the necessary MU functionality in their updaters, and so will not have updated themselves. However, for the vulnerability to work, you would have had to have installed the Plesk API/Agent.

HOW TO CHECK WHICH (IF ANY) MUs you have installed:
As root (or use sudo) just issue the command



And you'll see a load off stuff corresponding to various MUs. There's also an xml file containing a note of the last MU installed.

If you get nothing when you "locate microupdate", you have none installed. This is most likely with an older version of Plesk (8.x < 8.6). Follow the links in one of the earlier posts, download the patch and copy the necessary file to the appropriate place.

Am i correct in that ASL doesn't catch the agent.php hack (or at least it didn't before february 21)? Because my server was exploited, and on the 21st of february 4 accounts were modified over FTP (added a .htaccess file that allows execution of gif/png files, replaced 1 image with a php file with the extension of the replaced image, and added some code to an already existing .js file). Visitors of infected sites get a cookie placed on their system (name: wss, content: gootX (where X is a number)). I manually tracked down the changed files through the xferlog. I don't know when exactly they gained the list of FTP passwords, but ASL didn't catch it.

I removed the files, updated plesk, changed the FTP port and then renamed both agent.php and Agent.php. Renaming those files seems to have no effect on the workings of Plesk, so i doubt they will be able to use any future exploits through those files.

Too bad plesk doesnt offer a bulk password reset option, so i had to manually change every single password on the system.

It does in 3.0.20, when you set up the Plesk WAF (this watches traffic over 8443). Its in asl-3.0-testing now, and should be published to asl-3.0 shortly.

This Plesk WAF, is this an ASL feature, as i dont seem to have it in Plesk?. I also changed my Plesk port, so it no longer listens on 8443, so it would be nice if this coming feature would allow to set the port number.

Also, i renamed both agent.php and Agent.php (with no adverse effects as far as i can see), could this cause problems?

Its an ASL feature, just added in 3.0.20