1and1 Help Centre Categories

print article

Check for Plesk Remote Vulnerability

Learn how to check if Plesk is affected by a security vulnerability found in Plesk 10.3.1 or earlier.

All Plesk versions from 7.x to 10.3.1 are affected by a security flaw. Plesk 10.4.x and newer, already include a security patch and are not affected. This security flaw enables the attacker to gain root or administrator access through an SQL injection. The Parallels Knowledgebase offers more information on this vulnerability.

Please note:
If you do not have Plesk, this vulnerability does not affect you.
Check for Infiltration
Step 1
Log in to your 1&1 Control Panel and select the relevant package.
Step 2
Click on Server Administration > Server Access Data to see if the server has been compromised. You will see Plesk login credentials listed if Plesk is installed on your server. Even if you are not using Plesk to manage your server but it is running, your server is at risk.
Step 3
To determine if your server has been compromised, check for suspicious behaviour. Possible indicators are:
  • A sharp increase in traffic (use commands like ifconfig, netstat, iptraf).
  • Your server responds slower than usual (indicating additional malicious processes running).
  • Your process list shows unfamiliar entries (use commands like top, htop, ps aux).
  • A virus scanner or rootkit scanner reports a possible infiltration.
  • You are no longer able to log into your server via SSH or Plesk.
  • Your server is inaccessible (this may indicate a network shutdown for your server enacted by 1&1 to prevent abuse).
  • An unknown cron job has been set up by a third party. This can be found in the folder /var/spool/cron/tabs/.

For example, list the files in this location and check for unfamiliar results:

[root@u12345678 ~]# ls /var/spool/cron/tabs/
scatterly
[root@u12345678 ~]#

The file "scatterly" is an unfamiliar file and which is run regularly by the server. Use the cat command to find more information about the cron jobs

[root@u12345678 ~]# cat /var/spool/cron/tabs/*
* * * * * /usr/bin_us/perl /srv/www/vhosts/YOUR DOMAIN NAME/cgi-bin/morindone.pl detach>/dev/null 2>&1
[root@u12345678 ~]#

You can now investigate the morindone.pl file if it is not familiar to determine whether the file is legitimate.
If the Server has not been compromised

If your system has not been compromised, do one of the two following:

If the Server has been compromised

If your server has been comprised, you cannot update Plesk or perform a patch. The root or administrator accounts may already be accessible to attackers. Backup your data and re-image the server to an OS that includes a newer version of Plesk, or one that does not include Plesk. Choose new passwords for your server.