Parallels Plesk hacked - Found a hole in the splash panel
Today I discovered new tasks in cron, on one of the servers, which made me start to figure it out and google on this topic.
After searching, I found only one mention on the official Parallels forum.
For several days now, as people began to complain, technical support was first rejected, and now it has become completely silent.
Finding a trojan, laid out its source code on pastebin .
Quite an interesting script, part of the botnet.
The script itself registers in cron, thus:
Next, it takes commands to attack servers, with several attack options. If interested, see the source. And yes, there are comments in Russian in it, that is, it is clear where the legs grow from :)
The hole itself, with which it was poured in the file manager of the Plesk panel.
the script is placed in / var / www / vhosts / DOMAINNAME / cgi-bin /, with different names and the extension .pl
')
At the moment, I closed access to the splash panel with a firewall, leaving only familiar addresses. No solution or patch yet. So, if you have a splash panel, be careful. Subjects prone to defeat 9.5 and below.
You can check the presence on your server like this:
If you see the presence of incomprehensible files with the extension. Pl, then you have already picked up the infection.
After searching, I found only one mention on the official Parallels forum.
For several days now, as people began to complain, technical support was first rejected, and now it has become completely silent.
Finding a trojan, laid out its source code on pastebin .
Quite an interesting script, part of the botnet.
The script itself registers in cron, thus:
`echo '* * * * * $^X $script_path detach >/dev/null 2>&1' > /tmp/cron.d; crontab /tmp/cron.d ; rm /tmp/cron.d`;Next, it takes commands to attack servers, with several attack options. If interested, see the source. And yes, there are comments in Russian in it, that is, it is clear where the legs grow from :)
The hole itself, with which it was poured in the file manager of the Plesk panel.
the script is placed in / var / www / vhosts / DOMAINNAME / cgi-bin /, with different names and the extension .pl
')
At the moment, I closed access to the splash panel with a firewall, leaving only familiar addresses. No solution or patch yet. So, if you have a splash panel, be careful. Subjects prone to defeat 9.5 and below.
You can check the presence on your server like this:
find /var/www/vhosts/[az]*/cgi-bin/*.pl -mmin -2880If you see the presence of incomprehensible files with the extension. Pl, then you have already picked up the infection.
Source: https://habr.com/ru/post/138919/
All Articles