Popular web hosting management software, Plesk Panel, is under attack, being used as a point of entry to compromise websites.
The software, created by virtualisation and automation firm Parallels, has been targeted in the past, using a vulnerability in Plesk that allowed hackers to remotely compromise the Plesk server. This vulnerability affected versions 7.x, 8.x, 9.x and 10.0 to 10.3.1 of Plesk. When it closed the hole, Parallels recommended that administrators reset the passwords of all users.
Although the fix was put in place in February this year, Plesk users believe that the hackers who compromised user sites at that time, appear to have returned. They have voiced theories on Parallels' own forums, suggesting that hackers harvested data from Plesk while it was vulnerable and then took advantage of admins or users not resetting passwords, following the hack. This would explain why admins who updated Plesk and were meant to be secure, are seemingly being compromised by an old vulnerability.
But another theory is that there is a new zero-day vulnerability in Plesk 10.4.4 and earlier. Brian Krebs at Krebs on Security reported that underground hacking forums are selling a Plesk zero-day exploit for US$8000, with other forum members vouching for its legitimacy.
ZDNet Australia contacted Parallels over the claims of a zero-day exploit in the wild, but the firm had not responded at the time of writing.
Regardless, Plesk is definitely attracting attention from hackers. There is now a large surge in unsolicited port scans that are looking for Plesk installations, according to data from the SANS Internet Storm Centre and as noted by Sucuri Malware Lab's Daniel Cid, during an interview with SC Magazine. Cid said that there are more than 50,000 websites compromised, as part of a hacking campaign.
Yesterday, there were reports of attacks using WordPress and other plug-ins to compromise sites, however, from Cid's later discussions with Krebs, the common factor among all of the compromised sites appears to actually be Plesk, meaning users don't have to be running content management systems like WordPress to become a victim.