is this email legitimate? "Plesk - Critical Security Vulnerability"

[tkalfaoglu]

I got an email that states "Plesk - Critical Security Vulnerability" , but all the links point to somewhere called echo4.bluehornet.com.

Is this phishing or legitimate?

Plesk - Critical Security Vulnerability - Patch REQUIRED

Dear Parallels Plesk Panel User:

Please read this message in its entirety and take the recommended actions.

Parallels has been informed of a SQL injection security vulnerability in some older versions of Plesk. This vulnerability is considered critical in nature and customers are advised take action quickly.

A patch has been released to resolve this vulnerability. Based on the version and operating system of Plesk you use, please follow the instructions below.

Linux

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, it is recommended to update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 - Update to Plesk 9.5.4 MicroUpdate #11 or later
Update Instructions: here

Plesk 8 - Update to Plesk 8.6.0 MicroUpdate #2 or later
Update Instructions: here

Windows

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, it is recommended to update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 - Apply Fix from Parallels Knowledge Base
Update Instructions: here

Plesk 8 - Apply Fix from Parallels Knowledge Base
Update Instructions: here

If you are already at or above the Version and MicroUpdate levels indicated above - you are already protected from this vulnerability.

Parallels takes the security of our customers very seriously and urges you to act quickly by applying these patches.


Thanks,

- The Parallels Plesk Panel Team

©2012 Parallels Holdings Ltd. All rights reserved.

This message was intended for [email protected]. You were added to this list October 15, 2009.

To update your subscription options, click here. Use this link to unsubscribe.
Parallels, Inc.
500 SW 39th St, Suite 200
Renton, WA 98057

License Agreement | Terms of Use | Privacy Policy

 

[IgorG]

Could you please show full email header?

 

[tkalfaoglu]

sure, thank you.. PS: I changed my mail address to [email protected] in the posting below.

From - Fri Feb 10 09:26:54 2012
X-Account-Key: account4
X-UIDL: UID202892-1179178697
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: (qmail 14915 invoked by uid 10510); 10 Feb 2012 02:26:17 +0200
Received: from smtp.orangegrove.bluehornet.com by panel.kalfaoglu.net (envelope-from <bounce-use=m=17685689703=echo4=a341b8c016e45c75080a45495cb85ea3@returnpath.bluehornet.com>, uid 2020) with qmail-scanner-2.08st
(clamdscan: 0.97.3/14423. spamassassin: 3.2.5. perlscan: 2.08st.
Clear:RC:0(67.216.225.172):SA:0(-0.3/6.5):.
Processed in 1.599224 secs); 10 Feb 2012 00:26:17 -0000
X-Spam-Status: No, hits=-0.3 required=6.5
Received: from smtp.orangegrove.bluehornet.com (67.216.225.172)
by senan.com.tr with SMTP; 10 Feb 2012 02:26:15 +0200
Return-Path: <bounce-use=M=17685689703=echo4=A341B8C016E45C75080A45495CB85EA3@returnpath.bluehornet.com>
X-MSFBL: dHVyZ3V0QGthbGZhb2dsdS5jb21Ab3JhbmdlZ3JvdmVCaW5kaW5nQGRlZmF1bHRA
Ym91bmNlLXVzZT1NPTE3Njg1Njg5NzAzPWVjaG80PUEzNDFCOEMwMTZFNDVDNzUw
ODBBNDU0OTVDQjg1RUEz
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=parallels-1.bh; d=parallels-universe.com;
h=From:X-Outgoing;
b=NgNSGUAFAOlC3FAo3iZJuz/D3wZIJEY7aiMVq8vxl9BMWwAUGDnzWzBLv4a8AvbR
GbQjh70Czi+RdhM1ohCe9jX0vE5jjITNic82XnfEL6aTS9/vELaFuA0k/SRAXyD2
DKIM-Signature: v=1; a=rsa-sha1; d=parallels-universe.com; s=parallels-1.bh; c=simple/simple;
q=dns/txt; [email protected]; t=1328833498;
h=From:Subjectate:To:Mime-Version:Content-Type;
bh=d7h/7WIrAf3IHBNmA8pDRnq+//g=;
b=h9rm0zIpLdzy8JDGYXPiII5xIgNEDfilsOGVrC6vpXqmy2PjCTyCovCxT8FelW5p
ESrWdOWlxX1YN1J/f4sr0frUrENqMg33v4B1R/jzRBC9+Elym+14mFwPefc2jUb7;
DKIM-Signature: v=1; a=rsa-sha1; d=bluehornet.com; s=bluehornet-1.bh; c=simple/simple;
q=dns/txt; [email protected]; t=1328833498;
h=From:Subjectate:To:Mime-Version:Content-Type;
bh=d7h/7WIrAf3IHBNmA8pDRnq+//g=;
b=MrJm1F6g+zkwQpy17UpBY/8SrkjNW7jIO/ue3HkgueTEixqN3LFkhxThDTmib3tW
qG0AatvoMpYWJ0DLIf/E6Gv5dKYFM48j11jYRR9bsEM7U4kqABLJNT0OXmTz+CD+;
Received: from [10.64.22.21] ([10.64.22.21:17905] helo=localhost.localdomain)
by dc1bhmta01 (envelope-from <bounce-use=M=17685689703=echo4=A341B8C016E45C75080A45495CB85EA3@returnpath.bluehornet.com>)
(ecelerity 3.0.28.38595 r(38597)) with ESMTP
id 2A/76-25301-AD3643F4; Thu, 09 Feb 2012 16:24:58 -0800
Message-ID: <2A.76.25301.AD3643F4@dc1bhmta01>
Date: Thu, 09 Feb 2012 16:16:50 -0800
From: "Parallels, Inc." <[email protected]>
Reply-To: [email protected]
To: =?UTF-8?B?dHVyZ3V0IGthbGZhb2dsdSBrYWxmYW9nbHU=?= <[email protected]>
X-Outgoing: orangegrove
Subject: =?UTF-8?B?UGxlc2sg4oCTIENyaXRpY2FsIFNlY3VyaXR5IFZ1bG5lcmFiaWxpdHkgLSBQYXRjaCBSRVFVSVJFRCAg?=
List-Unsubscribe: <mailto:unsub-17685689703-echo4-A341B8C016E45C75080A45495CB85EA3@listunsub.bluehornet.com>
X-Base64-Encode: Subject
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="--4f3461f26384e-MultiPart-Mime-Boundary"



----4f3461f26384e-MultiPart-Mime-Boundary
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit



Dear Parallels Plesk Panel User:

Please read this message in its entirety and take the recommended
actions.

Parallels has been informed of a SQL injection security
vulnerability in some older versions of Plesk. This vulnerability
is considered critical in nature and customers are advised take
action quickly.

A patch has been released to resolve this vulnerability. Based on
the version and operating system of Plesk you use, please follow
the instructions below.

Linux

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
http://echo4.bluehornet.com/ct/14759742:17685689703:m:3:510338896:10F0659847E14A8D6FC341EF66FB673A:r
If possible, it is recommended to update all the way to Plesk
10.4.4 to provide the most stable user experience.

Plesk 9 - Update to Plesk 9.5.4 MicroUpdate #11 or later
Update Instructions: here
http://echo4.bluehornet.com/ct/14759743:17685689703:m:3:510338896:10F0659847E14A8D6FC341EF66FB673A:r

Plesk 8 - Update to Plesk 8.6.0 MicroUpdate #2 or later
Update Instructions: here
http://echo4.bluehornet.com/ct/14759744:17685689703:m:3:510338896:10F0659847E14A8D6FC341EF66FB673A:r



Windows

Plesk 10 - Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
http://echo4.bluehornet.com/ct/14759742:17685689703:m:3:510338896:10F0659847E14A8D6FC341EF66FB673A:r
If possible, it is recommended to update all the way to Plesk
10.4.4 to provide the most stable user experience.

Plesk 9 - Apply Fix from Parallels Knowledge Base
Update Instructions: here
http://echo4.bluehornet.com/ct/14759745:17685689703:m:3:510338896:10F0659847E14A8D6FC341EF66FB673A:r

Plesk 8 - Apply Fix from Parallels Knowledge Base
Update Instructions: here
http://echo4.bluehornet.com/ct/14759745:17685689703:m:3:510338896:10F0659847E14A8D6FC341EF66FB673A:r
If you are already at or above the Version and MicroUpdate levels
indicated above - you are already protected from this
vulnerability.

Parallels takes the security of our customers very seriously and
urges you to act quickly by applying these patches.

Thanks,

- The Parallels Plesk Panel Team

©2012 Parallels Holdings Ltd. All rights reserved.

This message was intended for [email protected]. You were added to this list October 15, 2009.

To update your subscription options, click here:
http://echo4.bluehornet.com/clients...alfaoglu.net&_mh=4ac6e1381ca9fd93c6f0f2267e29

Use this link to unsubscribe:
http://echo4.bluehornet.com/clients...kalfaoglu.net&_mh=4ac6e1381ca9fd93c69f2267e29




Parallels, Inc.
500 SW 39th St, Suite 200
Renton, WA 98057


License Agreement
http://www.parallels.com/company/eula/

Terms of Use
http://www.parallels.com/company/terms/

Privacy Policy
http://www.parallels.com/company/privacy/




----4f3461f26384e-MultiPart-Mime-Boundary
Content-Type: text/html; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit



<html><!--

*******************************************************
*Note: If you are having trouble viewing this message,*
*copy and paste the link below into your browser *
*address field and hit the Enter button on your *
*keyboard. *
http://echo4.bluehornet.com/p/v7_ftTCpIN
If you would like to change your preferences *
or unsubscribe, copy the URL below: *
©2012 Parallels Holdings Ltd. All rights reserved.

This message was intended for [email protected]. You were added to this list October 15, 2009.

To update your subscription options, click here:
http://echo4.bluehornet.com/clients...alfaoglu.net&_mh=4ac6e1381ca9fd93c697f2267e29

Use this link to unsubscribe:
http://echo4.bluehornet.com/clients...kalfaoglu.net&_mh=4ac6e1381ca9fd932f0f2267e29




Parallels, Inc.
500 SW 39th St, Suite 200
Renton, WA 98057


License Agreement
http://www.parallels.com/company/eula/

Terms of Use
http://www.parallels.com/company/terms/

Privacy Policy
http://www.parallels.com/company/privacy/
*******************************************************
-->
<html dir="ltr"><head> <title>Plesk - Critical Security Vulnerability - Patch REQUIRED</title> </head> <body> <table
width="575" border="0" align="center" cellpadding="0" cellspacing="0" style="padding-bottom: 40px;"> <tbody> <tr>
<td style="padding: 0px;"><!-- BEGIN LOGO TABLE--> <table cellspacing="0" cellpadding="0" border="0" width="100%">
<tbody> <tr> <td><img width="175" border="0" style="margin-bottom: 10px;
margin-top: 20px;" alt="" src="http://images.parallels-universe.com/email/parrallels-logo.png" /></td> </tr>
<tr> <td height="0" bgcolor="#d82232" align="right" width="100%" style="margin: 0px; padding:
0px;"><span align="right" style="font-family: arial,sans-serif; font-size: 10px; font-weight: bold; letter-spacing: 1px; text-transform: uppercase;
color: #ffffff;">PARALLELS PLESK PANEL</span></td>
(rest cut off)

 

[IgorG]

From: "Parallels, Inc." <[email protected]>

According to whois for parallels-universe.com it is our domain with Parallels nameservers and registrant.
Links lead to Plesk documentation.
All looks correctly. Don't worry

 

[ronfar]

Strange answer because you do not say a thing about the bluehornet.com links! That domain, as far as I know, is not registered by Parallels.

Wouldn't it be more appropriate to talk about the contents and to tell us why the links point to a documentation page?

 

[PaulC]

It appears Blue Hornet are the company Parallels use to send out the mass emails. Check the Unsubscribe link in the footer you will see this is the same company.

http://www.bluehornet.com/ also confirm that, so doesnt appear to be a problem with that.

It would be nice to know more information on the issue and what has changed - the changed files would be nice as we can then update our Vz templates to make the patch process far easier.

 

[tkalfaoglu]

Critical patch cannot be installed on 9.x servers..

A followup on that email from Parallels:
It seems the patch cannot be applied to 9.x servers.

1) There is nothing running on port 8447 on the server,
2) There is no /usr/local/psa/admin/bin/parallels_installer file ,
3) Eventually finding it on disk under /root/ and launching it manually using:
# ./parallels_installer_v3.6.0_build100407.15_os_CentOS_5_x86_64 --web-interface
...will give you lots of options to upgrade it to 10.x , but no option to stay at 9.x or no way to install just this patch..

 

[Fede Marsell]

The MU doesn't fix the problem.

This morning, on a Plesk 9.5.4 with all MU inxtalled:

122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:30 +0100] "POST /plesk/client@10/domain@824/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:32 +0100] "GET /plesk/client@10/domain@824/hosting/file-manager/ HTTP/1.1" 200 36661 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:36 +0100] "POST /plesk/client@10/domain@824/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:38 +0100] "GET /plesk/client@10/domain@824/hosting/file-manager/ HTTP/1.1" 200 36661 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:45 +0100] "GET /plesk/client@10/domain@11/hosting/file-manager/?cmd=chdir&file=%2Fcgi-bin%2F HTTP/1.1" 200 34236 "-" "Mozilla/5.0 (Windows; U; Win98; r$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:02 +0100] "POST /plesk/client@10/domain@11/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:05 +0100] "GET /plesk/client@10/domain@11/hosting/file-manager/ HTTP/1.1" 200 36776 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape/$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:09 +0100] "POST /plesk/client@10/domain@11/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:11 +0100] "GET /plesk/client@10/domain@11/hosting/file-manager/ HTTP/1.1" 200 36776 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape/$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:19 +0100] "GET /plesk/client@10/domain@810/hosting/file-manager/?cmd=chdir&file=%2Fcgi-bin%2F HTTP/1.1" 200 34300 "-" "Mozilla/5.0 (Windows; U; Win98; $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:31 +0100] "POST /plesk/client@10/domain@810/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:34 +0100] "GET /plesk/client@10/domain@810/hosting/file-manager/ HTTP/1.1" 200 36702 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:38 +0100] "POST /plesk/client@10/domain@810/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:41 +0100] "GET /plesk/client@10/domain@810/hosting/file-manager/ HTTP/1.1" 200 36702 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:17:48 +0100] "GET /plesk/client@10/domain@828/hosting/file-manager/?cmd=chdir&file=%2Fcgi-bin%2F HTTP/1.1" 200 34285 "-" "Mozilla/5.0 (Windows; U; Win98; $
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:18:01 +0100] "POST /plesk/client@10/domain@828/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$
122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:18:04 +0100] "GET /plesk/client@10/domain@828/hosting/file-manager/ HTTP/1.1" 200 36846 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko Netscape$

 

[IgorG]

Current state of this vulnerability is here http://kb.parallels.com/en/113321

 

[tkalfaoglu]

Miguel: How did you install the MU on your 9.x server? My Plesk "update" icon just takes me to the same server, port 8447,
but no service runs at that port (see my prev posting).. So, I'm stuck.. -t

 

[StéphanS]

Hi,

can Parallels provide us with more details as to what data has been gathered?


Did the SQL injection allow the attackers to grab the client logins and passwords?
Or did it only allow them to be able to log in using guessed client id's?


If the first is true, then just patching Plesk is not the solution,
we'd need to change all of our client's passwords. (this can ofcourse be done via script).


So Parallels, can you provide us with more info, and scripts to analyse httpsd_access_log,
to see which servers are actually affected??


And what do you mean with: 'Victim must voluntarily interact with attack mechanism'

Some more info would be most welcome, this is one of the most critical security threats Plesk has seen in years.


PS: First entry in our logs dates from Feb 6
PPS: We have found requests to agent.php dating back to January 23rd (Russian TelCo)

 

[Fede Marsell]

Miguel: How did you install the MU on your 9.x server? My Plesk "update" icon just takes me to the same server, port 8447,
but no service runs at that port (see my prev posting).. So, I'm stuck.. -t

From command line. Just type: /usr/local/psa/admin/sbin/autoinstaller

 

[tkalfaoglu]

Thanks - I just got all the MU's installed using the command line..
Regards, -turgut

 

[Blake@Parallels]

The MU doesn't fix the problem.

This morning, on a Plesk 9.5.4 with all MU inxtalled:

122.163.37.126 XXX.XXX.XXX.XXX:8443 - [16/Feb/2012:10:16:30 +0100] "POST /plesk/client@10/domain@824/hosting/file-manager/create-file/ HTTP/1.1" 303 0 "-" "Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.4) Gecko$

The log instances shown above are not indicative (directly) of the vulnerability. The initial vulnerability was of a SQL injection type - this was patched by the updates mentioned in the security bulletin.

then just patching Plesk is not the solution, we'd need to change all of our client's passwords. (this can of course be done via script).

This is correct. If you were attacked before applying the MicroUpdates, then you should reset all user passwords as soon as possible.

 

[StéphanS]

This is correct. If you were attacked before applying the MicroUpdates, then you should reset all user passwords as soon as possible.

I have seen post requests tot agent.php on other servers, but no logins to the clients or the posts to filemanager.php,
do I need to reset all passwords on these servers aswell?

Can any more light be shed on what data was actually extracted from our Plesk instances?
(sysops need to be informed of these things, the KB articles only state updating, which is not enough it seems).


Best not to make Plesk part of a giant botnet, because that is what they are building by uploading PHP dropper files via filemanager.php (it's a PHP eval script).

They have been investigating our servers starting from January 23d, and then gradually perfected their Plesk injection + infection script (probably on their own test servers, because I cannot find any entries of such tests).

 

[Blake@Parallels]

I have seen post requests tot agent.php on other servers, but no logins to the clients or the posts to filemanager.php,
do I need to reset all passwords on these servers aswell?

Can any more light be shed on what data was actually extracted from our Plesk instances?
(sysops need to be informed of these things, the KB articles only state updating, which is not enough it seems).


Best not to make Plesk part of a giant botnet, because that is what they are building by uploading PHP dropper files via filemanager.php (it's a PHP eval script).

They have been investigating our servers starting from January 23d, and then gradually perfected their Plesk injection + infection script (probably on their own test servers, because I cannot find any entries of such tests).

The update levels mentioned in the original security bulletin have been available since September 2011. So, when evaluating your servers, I would recommend to check several things:

- If they were already at the identified update levels, you should be OK.
- If not, and you see POST requests to agent.php that are not from you (or any components you have that may be integrating with Plesk), prior to applying the updates, this could be cause for concern.
- Any requests to agent.php after applying the updates should be harmless.
- Because of the nature of the vulnerability (i.e. SQL injection), there is the potential for the attacker to maintain access to the server even after the original entry point was closed if they gained access to any user accounts.

Especially because of the last point, this is why we recommend that any compromised server have its passwords reset as soon as possible.

 

[fran@]

Blake,

what passwords do we need to reset on the Plesk servers?
I'm assuming Admin and Resellers/Clients/Domain admins CP access on Plesk 9, and all users accessing the File Manager on Plesk 10.
Should we also reset passwords for Email users CP access? FTP users?

What is the fastest way to do it?
/Fran

 

[mr_coko]

Please have a look here: http://forum.parallels.com/showpost.php?p=617115&postcount=30

 

[sergius]

Script to reset all passwords in Plesk

Blake,

what passwords do we need to reset on the Plesk servers?
I'm assuming Admin and Resellers/Clients/Domain admins CP access on Plesk 9, and all users accessing the File Manager on Plesk 10.
Should we also reset passwords for Email users CP access? FTP users?

What is the fastest way to do it?
/Fran

Please take a look at the script provided by Plesk Service.

http://forum.parallels.com/showpost.php?p=617278&postcount=34

 

[/dev/null]

Please forgive me my ignorance, but are there any 'plans' to store the passwords in next versions of the Control Panel in a 'safer' way?