JPCERT-AT-2013-0018
JPCERT/CC
2013-04-08
<<< JPCERT/CC Alert 2013-04-08 >>>
Alert regarding the usage of old versions of Parallels Plesk Panel
https://www.jpcert.or.jp/english/at/2013/at130018.html
I. Overview
JPCERT/CC has received numerous reports regarding Web attacks.
These attacks are due to an unauthorized Apache module residing on the
server, which causes unintended JavaScript to be inserted when viewing
the website. As a result, a user PC may be infected with malware.
According to the information that we have obtained, most of these
sites use older versions of Parallels Plesk Panel, some of which are
no longer supported. When installing Parallels Plesk Panel, other
software (MySQL, BIND, phpMyAdmin, etc.) may be installed. Users may
not be aware that these software may be older versions that contain
vulnerabilities.
It has not been verified that all the web attack cases related to
the unauthorized Apache module are a result of leveraging
vulnerabilities. However, when running versions that contain
vulnerabilities, an attacker may leverage these vulnerabilities and
perform web defacement as well as other attacks. Therefore, it is
recommended to not only update Parallels Plesk Panel, but the OS and
other related software to the latest released versions.
Some attacks have used an SQL Injection vulnerability in an older
version of Parallels Plesk Panel to obtain account information, while
other attacks performed an unauthorized login by obtaining an easily
guessable password by conducting a dictionary attack. Also observed
was that after the unauthorized login, the cron manager in Parallels
Plesk Panel was used to execute an unauthorized script to place an
unauthorized Apache module.
II. Solution
If using Parallels Plesk Panel for managing websites, please
consider the following recommendations:
- Update Parallels Plesk Panel to the latest version
- Update the OS, software on the server to the latest versions
- Restrict access to Parallels Plesk Panel
(Only allow from certain IP addresses)
- Set a strong password
- Do not allow to run tasks on behalf of root from the
Parallels Plesk Panel configuration screen
(*1)By default, Parallels Plesk Panel allows utilities or scripts
to be run on behalf of root in two cases:
- Scheduling tasks with the cron manager (versions 8 through 11)
- Handling events with the Event Manager tool (version 11)
To eliminate these vulnerabilities, create the following files and
leave them empty:
$PRODUCT_ROOT_D/var/root.crontab.lock
$PRODUCT_ROOT_D/var/root.event.handler.lock
The $PRODUCT_ROOT_D is /usr/local/psa for RPM-based systems
or /opt/psa on DEB-based systems
For more details, please refer to "Protecting from Running Tasks on
Behalf of root" from the document below:
Enhancing Security
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-linux-advanced-administration-guide/68755.htm
III. References
Parallels
Release Notes for Parallels Plesk Panel 11.0 for Linux Systems
http://download1.parallels.com/Plesk/PP11/11.0/release-notes/parallels-plesk-panel-11.0-for-linux-based-os.html
Parallels
Parallels Plesk Panel security best practices
http://kb.parallels.com/114620
Parallels
Enhancing Security
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-linux-advanced-administration-guide/68755.htm
Trend Micro
Web alterations using unauthorized module in Domestic and overseas Web servers (Apache)
http://blog.trendmicro.co.jp/archives/6888
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top