Avatar

Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:

injection_attempt_1

The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited. 

In this specific instance, the attackers were using an IRC-based botnet as a payload. The botnet was technically minimal, but did include basic flooding capabilities.

udpflood_small_2

The Perl script used in this case has been around for a number of years, and the bot is openly discussed in PHP exploit groups. What’s interesting is that this particular version seems to have been pieced together by many individuals, judging from the alternating English and Spanish found throughout the script.

spreader_small_3

The active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date. This is especially urgent with vulnerabilities that are remotely detectable. This means not just the operating system, but every program and add-on for those programs also needs to be kept up-to-date. A vulnerability left unpatched in any one of them can lead to total system compromise. Left unpatched, this bug and others like it will likely continue to be exploited for years to come. Only time will tell what other payloads may be installed.



Authors

Craig Williams

Director

Talos Outreach