News:

Click here for Toll-Free Service for your business starting at $2.00 per month

Main Menu

Blackhole Exploit

Started by sven, August 27, 2012, 11:41:01 PM

Previous topic - Next topic

sven

So I just found that my index.html (in httpdocs) had been replaced with one that looked identical but had a 22kb javascript exploit at the end.

I removed that and replaced it with the correct one.

(EDIT: Strike this part, at least; my ftp client doesn't list -a by default. Doh. Everything else is still as described, though ... In that process I also noticed that all the ".htaccess" files in the various directories had been removed. Replacing them (by plain FTP) appears not to work - they vanish as soon as I place them there.)

I do not know how my web-directory could've been accessed other than from your side - is there something rogue running that is messing with people's files? When I go to http://sitecheck.sucuri.net/scanner/ and run a check on my site (which reported as infected, now reports clean) it tells me that the version of plesk running there is outdated.

Can someone else have a look at their index.html file and possibly error document (and possibly .htaccess files) and confirm or deny that there's a problem here somewhere? Thanks in advance.

--
"Everything is futile!"
    -- Marvin of Borg

sven

So this is what I hear from someone smart in a different forum:

Quote
The most common way for websites to get infected is apparently by running a version of Plesk earlier than 11 - and your host was running Plesk 8 according to the virus scanners:
http://blog.unmaskparasites.com/2012/06/26/millions-of-website-passwords-stored-in-plain-text-in-plesk-panel/

Notice your password is stored in cleartext, and until your host updates Plesk anybody will be able to retrieve it again - even if you change it.

As for what happens for people who visits the site, there is a description here:
http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

This would mean you guys really need to update plesk ...
--
"Everything is futile!"
    -- Marvin of Borg

admin

The various patches have been applied to Plesk that fix the vulnerability.  (Plesk released patches for version 8.x and 9.x installations and originally said 10.x were not affected.  They later said you had to upgrade to 11.x if you were running 10.x since no patches were made for that version, but patches were made available for 8.x and 9.x versions.  These versions are not yet EOL until next year.)

We sent a mass mail out to all users quite a few months ago advising users to change all of their passwords due to the exploit.  If you have not changed your password(s), someone will still have access to your site using the retrieved password lists.

Be sure you have changed your FTP password, Plesk password, and any database passwords (since those would have been exposed when/if they accessed your files).

Speedline Z

So there are no patches for version 10?  It seems Parallels corrected the issue in version 10.4, but Plesk 5 is running version 10.2 ... are our passwords still stored in plaintext, or did they come out with a patch/fix for version 10.2

sven

I sifted through my email and I'm pretty sure I didn't get anything about this (until last week).

I changed my passwords and all seems well (I had written myself a little wrapper around wget to retrieve all my html files and compare their MD5s with known good values once a day, and there was no further activity on that account).

I'm in Los Angeles, and as far as I understand it that means plesk4 is the one I should be using? Or should I migrate somewhere else?
--
"Everything is futile!"
    -- Marvin of Borg

admin

Plesk4 and Plesk6 are the best servers to use right now, they are patched.

Plesk5 is running 10.2 which needs updated (but it fails due to the horrible mess it was to get it updated that far).

admin

Just to clarify, all servers were patched quite some time ago for this vulnerability.  Plesk release Micro Updates (that do not increment the version number) to fix this in all versions including 8.x

Our goal is to replace the servers.

The frist server scheduled for replacement is Plesk4.