Cisco sees possible exploit vector for DarkLeech compromises

Craig Williams, technical leader, threat research at Cisco, writes of another old, well-known flaw being exploited.

Craig Williams, technical leader, threat research at Cisco, writes of another old, well-known flaw being exploited in the Cisco security blog.

In this post, he describes an example of a malicious script used in an attempted attack against their server:

injection_attempt_1

He writes:

The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited. 

In this specific instance, the attackers were using an IRC-based botnet as a payload. The botnet was technically minimal, but did include basic flooding capabilities.

He writes that the Perl script used in this case has been around for several years, and the bot is openly discussed in PHP exploit groups. This specimen looks like it was pieced together by a number of people, if the alternating English and Spanish throughout the script is any indication.

He concludes:

The active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date. This is especially urgent with vulnerabilities that are remotely detectable.

Check out his full post for more examples of the suspicious script.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.