is this email legitimate? "Plesk - Critical Security Vulnerability"

**tkalfaoglu** · Feb 10, 2012, 01:58 AM

I got an email that states "Plesk - Critical Security Vulnerability" , but all the links point to somewhere called echo4.bluehornet.com.

Is this phishing or legitimate?

Plesk - Critical Security Vulnerability - Patch REQUIRED

Dear Parallels Plesk Panel User:

Please read this message in its entirety and take the recommended actions.

Parallels has been informed of a SQL injection security vulnerability in some older versions of Plesk. This vulnerability is considered critical in nature and customers are advised take action quickly.

A patch has been released to resolve this vulnerability. Based on the version and operating system of Plesk you use, please follow the instructions below.

Linux

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, it is recommended to update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 - Update to Plesk 9.5.4 MicroUpdate #11 or later
Update Instructions: here

Plesk 8 - Update to Plesk 8.6.0 MicroUpdate #2 or later
Update Instructions: here

Windows

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, it is recommended to update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 - Apply Fix from Parallels Knowledge Base
Update Instructions: here

Plesk 8 - Apply Fix from Parallels Knowledge Base
Update Instructions: here

If you are already at or above the Version and MicroUpdate levels indicated above - you are already protected from this vulnerability.

Parallels takes the security of our customers very seriously and urges you to act quickly by applying these patches.

Thanks,

- The Parallels Plesk Panel Team

©2012 Parallels Holdings Ltd. All rights reserved.

This message was intended for myemail@kalfaoglu.net. You were added to this list October 15, 2009.

To update your subscription options, click here. Use this link to unsubscribe.
Parallels, Inc.
500 SW 39th St, Suite 200
Renton, WA 98057

License Agreement | Terms of Use | Privacy Policy

**IgorG** · Feb 10, 2012, 02:42 AM

Could you please show full email header?

**tkalfaoglu** · Feb 10, 2012, 03:04 AM

sure, thank you.. PS: I changed my mail address to xxxx@kalfaoglu.net in the posting below.

From - Fri Feb 10 09:26:54 2012
X-Account-Key: account4
X-UIDL: UID202892-1179178697
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: (qmail 14915 invoked by uid 10510); 10 Feb 2012 02:26:17 +0200
Received: from smtp.orangegrove.bluehornet.com by panel.kalfaoglu.net (envelope-from <bounce-use=m=17685689703=echo4=a341b8c016e45c75080a45495c b85ea3@returnpath.bluehornet.com>, uid 2020) with qmail-scanner-2.08st
(clamdscan: 0.97.3/14423. spamassassin: 3.2.5. perlscan: 2.08st.
Clear:RC:0(67.216.225.172):SA:0(-0.3/6.5):.
Processed in 1.599224 secs); 10 Feb 2012 00:26:17 -0000
X-Spam-Status: No, hits=-0.3 required=6.5
Received: from smtp.orangegrove.bluehornet.com (67.216.225.172)
by senan.com.tr with SMTP; 10 Feb 2012 02:26:15 +0200
Return-Path: <bounce-use=M=17685689703=echo4=A341B8C016E45C75080A45495C B85EA3@returnpath.bluehornet.com>
X-MSFBL: dHVyZ3V0QGthbGZhb2dsdS5jb21Ab3JhbmdlZ3JvdmVCaW5kaW 5nQGRlZmF1bHRA
Ym91bmNlLXVzZT1NPTE3Njg1Njg5NzAzPWVjaG80PUEzNDFCOE MwMTZFNDVDNzUw
ODBBNDU0OTVDQjg1RUEz
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=parallels-1.bh; d=parallels-universe.com;
h=From:X-Outgoing;
b=NgNSGUAFAOlC3FAo3iZJuz/D3wZIJEY7aiMVq8vxl9BMWwAUGDnzWzBLv4a8AvbR
GbQjh70Czi+RdhM1ohCe9jX0vE5jjITNic82XnfEL6aTS9/vELaFuA0k/SRAXyD2
DKIM-Signature: v=1; a=rsa-sha1; d=parallels-universe.com; s=parallels-1.bh; c=simple/simple;
q=dns/txt; i=@parallels-universe.com; t=1328833498;
h=From:Subject:Date:To:Mime-Version:Content-Type;
bh=d7h/7WIrAf3IHBNmA8pDRnq+//g=;
b=h9rm0zIpLdzy8JDGYXPiII5xIgNEDfilsOGVrC6vpXqmy2Pj CTyCovCxT8FelW5p
ESrWdOWlxX1YN1J/f4sr0frUrENqMg33v4B1R/jzRBC9+Elym+14mFwPefc2jUb7;
DKIM-Signature: v=1; a=rsa-sha1; d=bluehornet.com; s=bluehornet-1.bh; c=simple/simple;
q=dns/txt; i=@bluehornet.com; t=1328833498;
h=From:Subject:Date:To:Mime-Version:Content-Type;
bh=d7h/7WIrAf3IHBNmA8pDRnq+//g=;
b=MrJm1F6g+zkwQpy17UpBY/8SrkjNW7jIO/ue3HkgueTEixqN3LFkhxThDTmib3tW
qG0AatvoMpYWJ0DLIf/E6Gv5dKYFM48j11jYRR9bsEM7U4kqABLJNT0OXmTz+CD+;
Received: from [10.64.22.21] ([10.64.22.21:17905] helo=localhost.localdomain)
by dc1bhmta01 (envelope-from <bounce-use=M=17685689703=echo4=A341B8C016E45C75080A45495C B85EA3@returnpath.bluehornet.com>)
(ecelerity 3.0.28.38595 r(38597)) with ESMTP
id 2A/76-25301-AD3643F4; Thu, 09 Feb 2012 16:24:58 -0800
Message-ID: <2A.76.25301.AD3643F4@dc1bhmta01>
Date: Thu, 09 Feb 2012 16:16:50 -0800
From: "Parallels, Inc." <announce@parallels-universe.com>
Reply-To: no-reply@parallels.com
To: =?UTF-8?B?dHVyZ3V0IGthbGZhb2dsdSBrYWxmYW9nbHU=?= <xxxxxx@kalfaoglu.net>
X-Outgoing: orangegrove
Subject: =?UTF-8?B?UGxlc2sg4oCTIENyaXRpY2FsIFNlY3VyaXR5IFZ1bG5lcm FiaWxpdHkgLSBQYXRjaCBSRVFVSVJFRCAg?=
List-Unsubscribe: <mailto:unsub-17685689703-echo4-A341B8C016E45C75080A45495CB85EA3@listunsub.bluehor net.com>
X-Base64-Encode: Subject
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--4f3461f26384e-MultiPart-Mime-Boundary"

----4f3461f26384e-MultiPart-Mime-Boundary
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Dear Parallels Plesk Panel User:

Please read this message in its entirety and take the recommended
actions.

Parallels has been informed of a SQL injection security
vulnerability in some older versions of Plesk. This vulnerability
is considered critical in nature and customers are advised take
action quickly.

A patch has been released to resolve this vulnerability. Based on
the version and operating system of Plesk you use, please follow
the instructions below.

Linux

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
http://echo4.bluehornet.com/ct/14759...41EF66FB673A:r
If possible, it is recommended to update all the way to Plesk
10.4.4 to provide the most stable user experience.

Plesk 9 - Update to Plesk 9.5.4 MicroUpdate #11 or later
Update Instructions: here
http://echo4.bluehornet.com/ct/14759...41EF66FB673A:r

Plesk 8 - Update to Plesk 8.6.0 MicroUpdate #2 or later
Update Instructions: here
http://echo4.bluehornet.com/ct/14759...41EF66FB673A:r

Windows

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
http://echo4.bluehornet.com/ct/14759...41EF66FB673A:r
If possible, it is recommended to update all the way to Plesk
10.4.4 to provide the most stable user experience.

Plesk 9 - Apply Fix from Parallels Knowledge Base
Update Instructions: here
http://echo4.bluehornet.com/ct/14759...41EF66FB673A:r

Plesk 8 - Apply Fix from Parallels Knowledge Base
Update Instructions: here
http://echo4.bluehornet.com/ct/14759...41EF66FB673A:r
If you are already at or above the Version and MicroUpdate levels
indicated above - you are already protected from this
vulnerability.

Parallels takes the security of our customers very seriously and
urges you to act quickly by applying these patches.

Thanks,

- The Parallels Plesk Panel Team

©2012 Parallels Holdings Ltd. All rights reserved.

This message was intended for xxxx@kalfaoglu.net. You were added to this list October 15, 2009.

To update your subscription options, click here:
http://echo4.bluehornet.com/clients/...93c6f0f2267e29

Use this link to unsubscribe:
http://echo4.bluehornet.com/clients/...d93c69f2267e29

Parallels, Inc.
500 SW 39th St, Suite 200
Renton, WA 98057

License Agreement
http://www.parallels.com/company/eula/

Terms of Use
http://www.parallels.com/company/terms/

Privacy Policy
http://www.parallels.com/company/privacy/

----4f3461f26384e-MultiPart-Mime-Boundary
Content-Type: text/html; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

<html>
<html dir="ltr"><head> <title>Plesk - Critical Security Vulnerability - Patch REQUIRED</title> </head> <body> <table
width="575" border="0" align="center" cellpadding="0" cellspacing="0" style="padding-bottom: 40px;"> <tbody> <tr>
<td style="padding: 0px;"> <table cellspacing="0" cellpadding="0" border="0" width="100%">
<tbody> <tr> <td><img width="175" border="0" style="margin-bottom: 10px;
margin-top: 20px;" alt="" src="http://images.parallels-universe.com/email/parrallels-logo.png" /></td> </tr>
<tr> <td height="0" bgcolor="#d82232" align="right" width="100%" style="margin: 0px; padding:
0px;"><span align="right" style="font-family: arial,sans-serif; font-size: 10px; font-weight: bold; letter-spacing: 1px; text-transform: uppercase;
color: #ffffff;">PARALLELS PLESK PANEL</span></td>
(rest cut off)

**IgorG** · Feb 10, 2012, 03:13 AM

From: "Parallels, Inc." <announce@parallels-universe.com>

According to whois for parallels-universe.com it is our domain with Parallels nameservers and registrant.
Links lead to Plesk documentation.
All looks correctly. Don't worry

**ronfar** · Feb 10, 2012, 04:55 AM

Strange answer because you do not say a thing about the bluehornet.com links! That domain, as far as I know, is not registered by Parallels.

Wouldn't it be more appropriate to talk about the contents and to tell us why the links point to a documentation page?

**PaulC** · Feb 10, 2012, 05:35 AM

It appears Blue Hornet are the company Parallels use to send out the mass emails. Check the Unsubscribe link in the footer you will see this is the same company.

http://www.bluehornet.com/ also confirm that, so doesnt appear to be a problem with that.

It would be nice to know more information on the issue and what has changed - the changed files would be nice as we can then update our Vz templates to make the patch process far easier.

**tkalfaoglu** · Feb 13, 2012, 12:28 AM

A followup on that email from Parallels:
It seems the patch cannot be applied to 9.x servers.

1) There is nothing running on port 8447 on the server,
2) There is no /usr/local/psa/admin/bin/parallels_installer file ,
3) Eventually finding it on disk under /root/ and launching it manually using:
# ./parallels_installer_v3.6.0_build100407.15_os_CentO S_5_x86_64 --web-interface
...will give you lots of options to upgrade it to 10.x , but no option to stay at 9.x or no way to install just this patch..

**Miguel Garcia** · Feb 16, 2012, 04:30 AM

The MU doesn't fix the problem.

This morning, on a Plesk 9.5.4 with all MU inxtalled:

122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:30 +0100] "POST /plesk/client@10/domain@824/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:32 +0100] "GET /plesk/client@10/domain@824/hosting/file-manager/ HTTP/1.1" 200 36661 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:36 +0100] "POST /plesk/client@10/domain@824/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:38 +0100] "GET /plesk/client@10/domain@824/hosting/file-manager/ HTTP/1.1" 200 36661 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:45 +0100] "GET /plesk/client@10/domain@11/hosting/file-manager/?cmd=chdir&file=%2Fcgi-bin%2F HTTP/1.1" 200 34236 "-" "Mozilla/5.0 (Windows; U; Win98; r$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:02 +0100] "POST /plesk/client@10/domain@11/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:05 +0100] "GET /plesk/client@10/domain@11/hosting/file-manager/ HTTP/1.1" 200 36776 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape/$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:09 +0100] "POST /plesk/client@10/domain@11/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:11 +0100] "GET /plesk/client@10/domain@11/hosting/file-manager/ HTTP/1.1" 200 36776 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape/$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:19 +0100] "GET /plesk/client@10/domain@810/hosting/file-manager/?cmd=chdir&file=%2Fcgi-bin%2F HTTP/1.1" 200 34300 "-" "Mozilla/5.0 (Windows; U; Win98; $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:31 +0100] "POST /plesk/client@10/domain@810/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:34 +0100] "GET /plesk/client@10/domain@810/hosting/file-manager/ HTTP/1.1" 200 36702 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:38 +0100] "POST /plesk/client@10/domain@810/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:41 +0100] "GET /plesk/client@10/domain@810/hosting/file-manager/ HTTP/1.1" 200 36702 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:48 +0100] "GET /plesk/client@10/domain@828/hosting/file-manager/?cmd=chdir&file=%2Fcgi-bin%2F HTTP/1.1" 200 34285 "-" "Mozilla/5.0 (Windows; U; Win98; $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:18:01 +0100] "POST /plesk/client@10/domain@828/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:18:04 +0100] "GET /plesk/client@10/domain@828/hosting/file-manager/ HTTP/1.1" 200 36846 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$

**IgorG** · Feb 16, 2012, 04:39 AM

Current state of this vulnerability is here http://kb.parallels.com/en/113321

**tkalfaoglu** · Feb 16, 2012, 07:04 AM

Miguel: How did you install the MU on your 9.x server? My Plesk "update" icon just takes me to the same server, port 8447,
but no service runs at that port (see my prev posting).. So, I'm stuck.. -t

**StÃ©phanS** · Feb 16, 2012, 10:36 AM

Hi,

can Parallels provide us with more details as to what data has been gathered?

Did the SQL injection allow the attackers to grab the client logins and passwords?
Or did it only allow them to be able to log in using guessed client id's?

If the first is true, then just patching Plesk is not the solution,
we'd need to change all of our client's passwords. (this can ofcourse be done via script).

So Parallels, can you provide us with more info, and scripts to analyse httpsd_access_log,
to see which servers are actually affected??

And what do you mean with: 'Victim must voluntarily interact with attack mechanism'

Some more info would be most welcome, this is one of the most critical security threats Plesk has seen in years.

PS: First entry in our logs dates from Feb 6
PPS: We have found requests to agent.php dating back to January 23rd (Russian TelCo)

**Miguel Garcia** · Feb 16, 2012, 11:07 AM

Originally Posted by tkalfaoglu

Miguel: How did you install the MU on your 9.x server? My Plesk "update" icon just takes me to the same server, port 8447,
but no service runs at that port (see my prev posting).. So, I'm stuck.. -t

From command line. Just type: /usr/local/psa/admin/sbin/autoinstaller

**tkalfaoglu** · Feb 17, 2012, 12:49 AM

Thanks - I just got all the MU's installed using the command line..
Regards, -turgut

**Blake@Parallels** · Feb 18, 2012, 08:23 AM

Originally Posted by Miguel Garcia

The MU doesn't fix the problem.

This morning, on a Plesk 9.5.4 with all MU inxtalled:

122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:30 +0100] "POST /plesk/client@10/domain@824/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$

The log instances shown above are not indicative (directly) of the vulnerability. The initial vulnerability was of a SQL injection type - this was patched by the updates mentioned in the security bulletin.

Originally Posted by StÃ©phanS

then just patching Plesk is not the solution, we'd need to change all of our client's passwords. (this can of course be done via script).

This is correct. If you were attacked before applying the MicroUpdates, then you should reset all user passwords as soon as possible.

**StÃ©phanS** · Feb 18, 2012, 05:06 PM

Originally Posted by Blake@Parallels

This is correct. If you were attacked before applying the MicroUpdates, then you should reset all user passwords as soon as possible.

I have seen post requests tot agent.php on other servers, but no logins to the clients or the posts to filemanager.php,
do I need to reset all passwords on these servers aswell?

Can any more light be shed on what data was actually extracted from our Plesk instances?
(sysops need to be informed of these things, the KB articles only state updating, which is not enough it seems).

Best not to make Plesk part of a giant botnet, because that is what they are building by uploading PHP dropper files via filemanager.php (it's a PHP eval script).

They have been investigating our servers starting from January 23d, and then gradually perfected their Plesk injection + infection script (probably on their own test servers, because I cannot find any entries of such tests).

**Blake@Parallels** · Feb 18, 2012, 05:16 PM

I have seen post requests tot agent.php on other servers, but no logins to the clients or the posts to filemanager.php,
do I need to reset all passwords on these servers aswell?

Can any more light be shed on what data was actually extracted from our Plesk instances?
(sysops need to be informed of these things, the KB articles only state updating, which is not enough it seems).

Best not to make Plesk part of a giant botnet, because that is what they are building by uploading PHP dropper files via filemanager.php (it's a PHP eval script).

They have been investigating our servers starting from January 23d, and then gradually perfected their Plesk injection + infection script (probably on their own test servers, because I cannot find any entries of such tests).

The update levels mentioned in the original security bulletin have been available since September 2011. So, when evaluating your servers, I would recommend to check several things:

- If they were already at the identified update levels, you should be OK.
- If not, and you see POST requests to agent.php that are not from you (or any components you have that may be integrating with Plesk), prior to applying the updates, this could be cause for concern.
- Any requests to agent.php after applying the updates should be harmless.
- Because of the nature of the vulnerability (i.e. SQL injection), there is the potential for the attacker to maintain access to the server even after the original entry point was closed if they gained access to any user accounts.

Especially because of the last point, this is why we recommend that any compromised server have its passwords reset as soon as possible.

**fran@** · Feb 24, 2012, 06:26 PM

Blake,

what passwords do we need to reset on the Plesk servers?
I'm assuming Admin and Resellers/Clients/Domain admins CP access on Plesk 9, and all users accessing the File Manager on Plesk 10.
Should we also reset passwords for Email users CP access? FTP users?

What is the fastest way to do it?
/Fran

**mr_coko** · Feb 27, 2012, 03:40 PM

Please have a look here: http://forum.parallels.com/showpost....5&postcount=30

**sergius** · Feb 29, 2012, 05:43 AM

Originally Posted by fran@

Blake,

what passwords do we need to reset on the Plesk servers?
I'm assuming Admin and Resellers/Clients/Domain admins CP access on Plesk 9, and all users accessing the File Manager on Plesk 10.
Should we also reset passwords for Email users CP access? FTP users?

What is the fastest way to do it?
/Fran

Please take a look at the script provided by Plesk Service.

http://forum.parallels.com/showpost....8&postcount=34

**/dev/null** · Mar 2, 2012, 04:04 PM

Please forgive me my ignorance, but are there any 'plans' to store the passwords in next versions of the Control Panel in a 'safer' way?

Thread: is this email legitimate? "Plesk - Critical Security Vulnerability"

Thread Tools

Search Thread

Display

is this email legitimate? "Plesk - Critical Security Vulnerability"

Critical patch cannot be installed on 9.x servers..

Script to reset all passwords in Plesk

Posting Permissions