IRC Botnet Leveraging Unpatched Plesk Vulnerability

A sizable number of web servers running vulnerable Plesk software including a number of Apache servers make up a new IRC botnet.

Researchers have found a botnet exploiting a vulnerability in the Plesk hosting control panel, ramping up calls from experts to upgrade to current versions of the product.

A notice on the Plesk command injection vulnerability as well as exploit code was posted last week to the Full Disclosure list by a hacker called kingcope. The researchers who reported the botnet said they were seeing up to 40 infections per hour. Some Apache server configurations are also vulnerable, experts said.

Plesk is popular hosting software used to manage website configurations for any number of domains. Plesk is a Parallels product; the company is headquartered in Seattle and sells virtualization software in addition to products for web hosts.

The vulnerability enables remote code execution affecting PGP-CGI software. A Parallels advisory said the flaw affects Parallels Plesk Panel 9.2 and 9.0 for Linux/UNIX. Later versions are not vulnerable and users are urged to upgrade as soon as possible. However, Trend Micro vulnerability researcher Sooraj KS said this vulnerability differs from the one the company issued an advisory about because the exploit calls the PHP interpreter directly.

“This vulnerability is easily exploitable with the exploit code available and successful exploitation can lead to complete compromise of the system with web service privileges,” said Sooraj on the company’s Security Intelligence blog. “The vulnerability is caused due to PHP misconfiguration in the affected application.”

According to a Full Disclosure entry, the IRC botnet is sizable and is infecting webservers with a backdoor instructing it to connect to a command and control infrastructure in 118[.]97[.]x[.]x range. The host, the researchers said, was vulnerable to the Plesk exploit.

“We made use of this vulnerability to gain privileged access to the C&C server,” a researcher known as jtag said. “After doing so, we monitored attempts to connect to the IRC for several hours.”

Their forensics investigation of the C&C server found that 900 hosts running vulnerable Plesk software tried to connect to the control server. The researcher said a tool was written and used to disinfect the compromised hosts.

Suggested articles