Thousands of Sites Hacked with Plesk Zero Day Exploit

Tuesday, July 10, 2012



Reports are surfacing that indicate a large scale iframe injection operation targeting websites is exploiting vulnerabilities in several popular plugins, including TimThumb, PHPMyAdmin and Uploadify.

The majority of the sites being targeted are running Plesk Panel version 10.4.4 or older versions, and researchers from Sucuri have indicated that as many as fifty-thousand websites may have been compromised by an unidentified botnet operation.

Brian Krebs reports that the attacks may be linked to a recently discovered zero-day exploit for Plesk that is being sold on the black market for around $8,000 per purchase.

According to Krebs, the exploit is designed to harvest the administrator password needed to access the Plesk control panel, used by website admins to remotely control the servers their respective websites are located on, usually through a third-party hosting service.

The connection to the Plesk exploit is as of yet circumstantial, but analysis by Sucuri’s Daniel Cid seems to point to the vulnerability as being a key factor in the swift compromise of the affected websites.

"What is interesting is that most of our clients always used to be using CMSs (like WordPress, Joomla, etc), but lately we are seeing such a large number of just plain HTML sites getting compromised and when we look deeper, they are always using Plesk," Cid told Krebs.

Last month, malware researcher Denis Sinegubko had provided analysis of the BlackHole Exploit Kit's successful compromise of several sampled websites, and had determined that a vulnerability in Plesk was probably the culprit.

The bug was subsequently patched, but the new wave of website hacks are an indication that another serious flaw in the application may be as of yet unmitigated.

The BlackHole Exploit Kit is one of the most popular exploit packs in the underground market, and Symantec's analysis of the latest incarnation revealed it was adapted to take advantage of an unpatched vulnerability in Microsoft XML Core Services (CVE-2012-1889) to facilitate drive-by attacks on Internet users.

BlackHole injects malicious code into compromised websites, allowing attackers to utilize a variety of exploits that target vulnerabilities in widely used applications like Java and Flash, and infects victims with a drive-by attack when they visit the compromised website.

The latest version of BlackHole also contains JavaScript that has the ability to generate pseudo-random domains, allowing the URLs for the injected iframes to remain valid if the URL for the injected iframe is changed or removed to avoid mitigation, which in older versions of BlackHole required a manual upgrade to the compromised sites to point to the new URL.


Possibly Related Articles:
Zero Day Vulnerabilities Web Application Security Attacks iFrame Injection Exploits Headlines Website Security Blackhole Exploit Plesk
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.