Background on Six Month Old Vulnerability Exploit Attempt

The IBM X-Force Threat Analysis Service (XFTAS) reports on vulnerabilities that need to be brought to the attention of our customers. Such was the case in June of 2013. We found a report on a Plesk Control Panel vulnerability (CVE-2013-4878) and provided the following assessment at that time:

Critical Plesk Vulnerability

Exploit code has been released that is reported to target versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Plesk is a commercial software web administration package that allows an administrator to easily set up new websites, email accounts, and DNS entries via a web-based interface. The vulnerability is reported to rely on a non-default setting in Plesk which exposes the entire /usr/bin directory to the Internet. An attacker who successfully exploits this vulnerability can gain shell access to the victim’s server. Customers should verify that the following Plesk configuration entry is not present:

ScriptAlias /phppath/ "/usr/bin/"

Plesk administrators should contact their distribution channels for more information regarding configuration best practices.


During the weekend of January 4th, the SOC began seeing attacks on our customers that appeared to be attempting to exploit this vulnerability. The payload of these attacks looked like this:


Actions Taken

The SOC escalated the event to management and began contacting affected customers. Further analysis of the attack revealed only one attacking IP, It also gave a strong indication that the attack was against the Internet as a whole and not any specific customer or industry. While researching the attack, we saw that other organizations, such as ISC, were aware of activity from this IP address as well. In their report, however, the attack they noted appeared to be targeting potentially vulnerable Linksys devices.

Data Seen

The top ten signatures seen in connection with this attack were:





HTTP: Detect PHP-CGI Remote code Execution vulnerability


PHP Remote Code Execution






SERVER-WEBAPP PHP-CGI remote file include attempt


PHP CGI Query String Parameter Handling Information Disclosure and DoS Vulnerability(34804)




TCP SYN Host Sweep


PHP CGI Query String Parameter Handling Code Injection Vulnerability(34790)
Scroll to view full table

This is a common tactic among attackers. First they scan for open ports and then, based on their recon, select an appropriate attack vector from the exploits they have in stock.

Summary and Recommendations

Attacks, such as this one, only reinforces the XFTAS’ recommendations to keep operating systems and applications patched in a timely manner. Attacks against new vulnerabilities do not always occur immediately after their announcement. Sometimes, as in this case, it may be months before the vulnerability is exploited.

Further References

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…