Parallels Plesk is an extremely popular platform for web hosts and service providers who design and service websites. This software is widely deployed all around the globe with thousands of installations. In this article we discuss how a spammer could direct an attack at Parallels Plesk users or trick them into giving up their credentials. We will show how misconfigured Parallels Plesk servers provide can disclose valid email addresses to spammers which could be used in an “intelligent” phishing or spam campaign.

The Parallels Plesk platform is used in thousands of installations worldwide. This software presents an automated control panel for end-user clients to choose and manage services. Administrators install this software on their servers to automate the tasks of hosting websites and much more. During installation, some complications can occur that cause Plesk not to be properly configured. Spammers targeting Plesk users and administrators can use misconfiguration like these to their benefit. We will discuss how a spammer could access this improperly disclosed information on nearly 120,000 misconfigured installations. We will see how the email addresses of server admins could be mined to support a sophisticated phishing or spam campaign to reveal their credentials.

Misconfiguration Leads to Disclosure
The first step to finding misconfigured Plesk servers is to understand how these misconfigurations look in the public domain. When Plesk is not configured properly, it displays a default message (see image below). These installations can be identified easily by using a search engine on the web such as Google. All one needs to do is search for web pages which have the string “Default PLESK Page” in the title.

The Plesk Default Page.

Once these pages have been located, the email addresses of their owners could be mined from the HTML using a simple script. In most cases, the email addresses embedded in a default page are different from the related WHOIS information. This alone is not a vulnerability in Plesk, however it seems that a piece of software like Plesk should not provide email addresses in a way that they are easily harvested by spammers. In some cases, we found that directories which contained sensitive information regarding file system layout and billing information were publicly accessible. Server administrators should be very conscientious about information disclosed in the default pages.

Conclusion
Plesk default pages could be located in thousands of installations. Spammers can easily harvest email addresses from these default pages. Once harvested, these emails could be used to launch a targeted phishing attack against server administrators to disclose administrator credentials. We encourage Plesk server administrators to not display email addresses via default pages. Perhaps, Plesk will rethink information displayed to the public via default pages as well.

News, Report, Security email, parallels, plesk, spam

Most websites and services today use some kind of framework, based on modern languages such as PHP, Ruby, Python and others. This has allowed many individuals to host arguably complex websites. This can be a good thing except when it comes to the fact that many website owners do not pay sufficient attention to the security of the software packages and do not beef up the default configurations from those set out-of-the-box.

More importantly, some webmasters are not even aware of the various misconfigurations which may leak sensitive information about their website and customers over the web.

Overview

This article is written to raise awareness of misconfiguration related to the domains they manage so more webmasters will pay attention. From our interaction with webmasters, we understand that they are already bogged down with many maintenance duties. However, the fact remains that misconfiguration errors, when left unaddressed, can spew important information into the hands of malicious persons.

An Example

Consider a website that we analyzed a few days ago, the URL looked like this:
hxxp://www.[scrubbed].net/forms/[scrubbed]/[scrubbed]/simple.log

This particular page was listing all email addresses that were registered on the website. These registrations may have been as a result of user requests to be put on a weekly newsletter of some sort. The page listed 623 email addresses, including addresses belonging to .mil, @gmail.com, @yahoo.com domains and more. The server was running an Apache/1.3.41 Server.

Conclusion

Though this incident may not have caused direct harm to the website, it is definitely undesirable to have an email address list laying out in the open. It only serves as fodder for spam bots and malicious persons to launch social engineering attacks.

In conclusion, webmasters, please do not leave your software installations in their default settings, and do pay attention to misconfiguration and other errors.

Report, Security email, error, misconfiguration, spam