Issue Important: Imunify auto installation and possible data leak

[LinqLOL]

Well there are 2 issues here in general:

Installation possible by-passing Plesk (and Customers)​

I do understand when you have the Immunify extension activated/installed on purpose the extension party (CloudLinux) has the power to make changes to our system. The problem here is ofcourse Plesk gives full power to an extension supplier which makes major (unwanted) changes to servers which do not have the extension enabled.

This makes supplies-chain attacks very easy.

Downsizing the issue​

I see that Plesk and CloudLinux downsizing the problem. They totally ignored the above points. The facts is that we have seen servers where files are uploaded to CL servers EVEN without us having a license.

This might be a sign there is no open-culture about security in Plesk . F*ckups can be made (been there, done that). But get your act together apoligize and tell us what you gonna do to prevent these kind of incidents. Running a internet business is hard enought already without vendors causing havoc

 

[Fede Marsell]

Indeed. That's right.

But as you can see, security isn't a priority, neither for PLESK nor for PLESK users.

Nobody cares. And this incident is proof of that.

 

[manchesteroc]

I came across this post via reddit last night, checking my logs today I too have been uploading some files - some are of concern and now need changes made to ensure security of my server. I have however noticed that since 11th August the uploads have stopped. Looks like they made changes to the extension configuration?

 

[Barend]

On one of our Plesk servers the Imunify extension that we did not activate/install ourselves has been uploading random files from our server to an Imunify 'Malware Response Service'. This is horrible! Not only a serious SECURITY RISK, but with a file containing personal information also IN VIOLATION OF EU GDPR. I informed our Data Protection Officer who will likely - as required by law - need to report this to the relevant authorities and inform the affected data subjects. Thanks for this huge mess Plesk!

 

[trialotto]

On one of our Plesk servers the Imunify extension that we did not activate/install ourselves has been uploading random files from our server to an Imunify 'Malware Response Service'. This is horrible! Not only a serious SECURITY RISK, but with a file containing personal information also IN VIOLATION OF EU GDPR. I informed our Data Protection Officer who will likely - as required by law - need to report this to the relevant authorities and inform the affected data subjects. Thanks for this huge mess Plesk!

@Barend,

It is - also - a bit messy from the legal perspective.


In the EU, the relevant authorities are highly institutionalized and to some extent bureaucratic.

Stated differently, notifications and complaints get stuck in a queue of processes and end up as a file on a desk or even in the archives.


The challenge here is that a violation is not the same as a legal offense.

In my experience, the factual occurrence of a legal offense will change things almost instantly - notifications/complaints are being dealt with rigorously.


The other challenge here is that it is not entirely clear who is legally liable - Plesk or CloudLinux.

Again, (full) legal liablity is already present, but only the actual occurrence of a legal offense will make legal liability considerations relevant.


I have discussed all of the above with a legal team and some relevant authorities in the EU - over and over again.

They essentially need evidence that can hold up in court.


So, I can cordially recommend that you create a honey pot of some kind.

Just create a server or site that uploads humbug information to CloudLinux ...... and wait and see whether that server or site is compromised.

That is the smoking gun, the evidence that you need.


To be honest, we run several honey pots and we do not notice any difference between the honey pots with or without CloudLinux products installed.

That is really disappointing, since that implies that I cannot provide the necessary proof/evidence to my legal team to go ahead with legal proceedings.

And I was strongly discouraged (by my legal team) to flood CloudLinux servers with information that makes their products unusable.

It is a bit unfair ...... but that is life.


The best thing to do is to create multiple files (read: notifications/complaints) for the relevant authorities.

The more complaints/notifications there are, the more likely that the "dossier CloudLinux" will get more priority.

Do not be discouraged by the traditional bureaucratic processes, just persist and continue filing complaints/notifications.


Kind regards....

 

[Hangover2]

The controller (hosting client) must submit any GDPR Article 33/34 notices after our prompt notification. We often see little interest in doing so, despite our offer to support. For example, one client uses a Plesk server to back up email within its hosting subscription; those emails were transferred to Imunify servers.

 

[Fede Marsell]

We must act and not let Plesk continue abusing these practices.

As I already said, the Plesk user community doesn't care about the security or privacy of their data.

This thread is proof of that.

A very serious situation, and hardly any response.

Only 4 or 5 people are concerned about security. Nobody else.

A specialized lawyer would be a great help. If nothing changes, PLESK will continue operating as usual.