• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx

  • We are developing a new feature in Plesk that will help you promote your websites or business on social media. We want to conduct a one-hour online UX test to present the prototype and collect feedback. If you are interested in the feature, please book a meeting via this link.
    Thank you in advance!
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue PHP Chankro DOS attack

E

Edgar Ruiz

New Pleskian
Server operating system version
CentOS 7.9
Plesk version and microupdate number
18.0.64 Update 1
Hello,

On Friday 22nd we suffered an attack on one of our client's domains that is hosted on a server running Plesk Obsidian. The incident appears to be related to an exploit using the Chankro tool (Bypass Disable Functions), which attacks the disable_functions directive in PHP.

The attack attempted to bypass PHP's disable_functions directive using Chankro, although SELinux prevented the attacker from causing significant damage, the server became unresponsive due to a massive increase in the number of tasks/processes, effectively resulting in a denial-of-service (DoS).

System Configuration:
  • Operating System: CentOS 7
  • Plesk Version: 18.0.64 Update 1
  • PHP Version: 8.3.13 (provided by Plesk)
  • Web Server: (Apache/Nginx with PHP-FPM)
  • SELinux: Enabled and enforcing
Logs from plesk-php83/error.log

[22-Nov-2024 21:24:03] WARNING: [pool domain.example.com] child 21795 said into stderr: "PHP message: PHP Warning: Undefined array key "\x44\x4f\x43\x55\x4d
\x45\x4e\x54\x5f\x52\x4f\x4f\x54" in /var/www/vhosts/domain.example.com/httpdocs/wp-content/plugins/pwnd/lol.php on line 186"
[22-Nov-2024 21:24:07] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: (6) Could not resolve host: gsocket.io; Unknown error"
[22-Nov-2024 21:24:10] WARNING: [pool domain.example.com] child 23318 said into stderr: "curl: c(6u)r lCo:u ld( 6no)t rCesooullvde nhoots tr:e sgoslovcek e
hto.sito:; gUsnokcnkoewtn. ieor;r oUrn"

sysstat CPU use:
CPU %user %nice %system %iowait %steal %idle
21:00:01 all 3,04 0,00 1,54 0,02 0,00 95,40
21:05:01 all 2,14 0,00 0,99 0,04 0,00 96,82
21:10:01 all 3,00 0,00 1,43 0,03 0,00 95,55
21:15:01 all 2,34 0,00 1,07 0,02 0,00 96,58
21:20:01 all 3,10 0,00 1,36 0,04 0,00 95,50

sysstat memory use:

kbmemfree kbmemused %memused kbbuffers kbcached kbcommit %commit kbactive kbinact kbdirty
21:00:01 786608 31977944 97,60 1939436 22444692 11206604 30,32 14792196 12937932 520
21:05:01 1294008 31470544 96,05 1939828 22394060 10335896 27,97 14369116 12892100 912
21:10:01 1114152 31650400 96,60 1938392 22393220 10919372 29,54 14507020 12921904 2284
21:15:01 686136 32078416 97,91 1938564 22402836 11307880 30,60 14932044 12912328 1416
21:20:01 925240 31839312 97,18 1939208 22566204 11012808 29,80 14562556 13053700 1616

The file with the malicious code was copied to another server with the following characteristics:

System Configuration:
  • Operating System: AlmaLinux release 8.10 (Cerulean Leopard)
  • Plesk Version: Plesk Obsidian 18.0.65 Update #1, last updated on Nov 12, 2024 03:33 AM
  • PHP Version: 8.3.13 (provided by Plesk)
  • Web Server: (Apache/Nginx with PHP-FPM)
  • SELinux: Enabled and enforcing
The attack was also replicated on this server and the number of processes/tasks increased to the point of almost leaving unresponsive. The processes were prevented from continuing to increase by restarting the php-fpm service (systemctl restart plesk-php83-fpm).

Please your advise on how to configure additional measures to prevent similar attacks from leaving the server without response again.

Additionally, I would like to ask you if the PHP versions provided by Plesk are vulnerable to this tool and if there is a date for the release of a patch. I searched the forums but found no information.

Thank you for your time and support, and please forgive my English.

Best regards,

Edgar Ruiz
 
Seems Plesk is not interested in resolving this? Or doesn't take it serious. Probably we need to pay more USD for the licenses first?
 
You must log in or register to reply here.

Similar threads

brother4
Issue Intermittent 503 Errors on Plesk Obsidian (Ubuntu 22.04 LTS) with PHP-FPM Crashes - Seeking Advice
Replies
3
Views
579
brother4
brother4
Franco
Resolved CentOs2Alma conversion failed - disk space?
Replies
7
Views
1K
Bitpalast
Bitpalast
A
Question Error Message Installing Plesk
Replies
1
Views
512
Kaspar@Plesk
Kaspar@Plesk
M
Issue curl: (60) SSL: no alternative certificate subject name matches target host name
Replies
2
Views
2K
AYamshanov
AYamshanov
Polli
Issue plesk-ext-monitoring-hcd.service & systemd-quotacheck.service failed
2
Replies
21
Views
3K
jlocana
jlocana
Back
Top