An exploit that extracts the master password needed to control Parallels’ Plesk Panel, a software suite used to remotely administer hosted servers at a large number of Internet hosting firms, is for sale.
The attack comes amid reports from multiple sources indicating a spike in Web site compromises that appear to trace back to Plesk installations.
A hacker on a forum has been selling the ability to hack any site running Plesk Panel version 10.4.4 and earlier, according to a published report. The hacker even developed a point-and-click tool he claims can recover the admin password from a vulnerable Plesk installation, as well as read and write files to the Plesk Panel.
The exploit is selling for $8,000, and according to the seller the vulnerability it targets remains unpatched, according to the report. Other forum readers said they have used it and said it works.
It remains unclear if this relates to a series of attacks against Plesk installations. Sucuri Malware Labs, a company that tracks mass Web site compromises, said 50,000 sites have suffered compromises as part of a sustained malware injection attack, and that a majority of the hacked sites involved Plesk installations.
In a blog last month about a new technological advancement in BlackHole exploit kits, malware researcher Denis Sinegubko examined more than a dozen sites seeded with the newer BlackHole kits. He discovered the common link was Plesk, and said the culprit was likely a now-patched security hole in Plesk versions prior to 10.4.
But over the past few days, Plesk users have been flooding the Parallels user forum, complaining of having their servers compromised even though they were running the latest versions of the software.