Question Security Question: Found a "JuicyPotato.php" file in Plesk directory

[hypmen]

Server operating system version

windows server 2022

Plesk version and microupdate number

plesk obsidian 18.0.71

Hello Plesk Team & Community,

I recently discovered a file named JuicyPotato.php in the following directory on our Windows server:C:\Program Files (x86)\Plesk\admin\plib\modules\notifier\library\Notifications\
Given that "JuicyPotato" is a known name for a privilege escalation tool, finding a file with this name is a security concern for us.

I would like to clarify a few things:

1. Is this file a legitimate part of a standard Plesk installation or one of its official modules?
2. If it is a legitimate file, what is its intended purpose and functionality?
3. If this is not an official Plesk file, what is the recommended procedure for its removal and for checking if the system has been otherwise compromised?

Any information or assistance would be greatly appreciated.

Thank you.

P.S
1.Plesk version: plesk obsidian 18.0.71
2.OS: windows server 2022

 

[Sebahat.hadzhi]

Hello, @hypmen . It is legitime file part of Plesk modules (ext-notifier extension) and it is related to the Juicy Potato vulnerability:

• https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit

 

[hypmen]

Hello Manager, thanks for your answer,

Hello, @hypmen . It is legitime file part of Plesk modules (ext-notifier extension) and it is related to the Juicy Potato vulnerability:

• https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit

Thank you, Manager, for your clarification on this security concern.

I have a follow-up question. Could you please clarify under what circumstances, if any, the Plesk system would execute this JuicyPotato.php file? And what would be its intended function when executed?

The reason I ask is that when I tried to inspect the file, its content appears to be encrypted or obfuscated, which prevents me from analyzing its purpose directly. Understanding its potential execution path is crucial for our security assessment.

Thanks again for your assistance.

 

[Sebahat.hadzhi]

I am not entirely sure what specific event would trigger the execution of the file, but since it belongs to ext-notifier that would be something related to Plesk's notification system. The file in question is present on all Plesk Installations. Therefore, I can confidently confirm, it is not an exploit that occurred on your server. Since you are running Windows 2022 and Plesk above 18.0.32, you should not be affected by the vulnerability in the first place. Thus, you can safely ignore it.

 

[hypmen]

I am not entirely sure what specific event would trigger the execution of the file, but since it belongs to ext-notifier that would be something related to Plesk's notification system. The file in question is present on all Plesk Installations. Therefore, I can confidently confirm, it is not an exploit that occurred on your server. Since you are running Windows 2022 and Plesk above 18.0.32, you should not be affected by the vulnerability in the first place. Thus, you can safely ignore it.

Thank you, @Manager, for the detailed and very helpful reply!

I'd also love to hear from other experts or community members on this. If you have any experience or further insights into this topic, please feel free to share them. Looking forward to sparking some new ideas together.

 

[scsa20]

Pretty sure that notification only triggers when it detects an exploit attempt happen utilizing JuicyPotato. Honestly I wouldn't worry about it too much and besides if a hacker did tried to utilized JuicyPotato to exploit your system, they wouldn't be naming it JuicyPotato lol.