Parallels Plesk is an extremely popular platform for web hosts and service providers who design and service websites. This software is widely deployed all around the globe with thousands of installations. In this article we discuss how a spammer could direct an attack at Parallels Plesk users or trick them into giving up their credentials. We will show how misconfigured Parallels Plesk servers provide can disclose valid email addresses to spammers which could be used in an “intelligent” phishing or spam campaign.
The Parallels Plesk platform is used in thousands of installations worldwide. This software presents an automated control panel for end-user clients to choose and manage services. Administrators install this software on their servers to automate the tasks of hosting websites and much more. During installation, some complications can occur that cause Plesk not to be properly configured. Spammers targeting Plesk users and administrators can use misconfiguration like these to their benefit. We will discuss how a spammer could access this improperly disclosed information on nearly 120,000 misconfigured installations. We will see how the email addresses of server admins could be mined to support a sophisticated phishing or spam campaign to reveal their credentials.
Misconfiguration Leads to Disclosure
The first step to finding misconfigured Plesk servers is to understand how these misconfigurations look in the public domain. When Plesk is not configured properly, it displays a default message (see image below). These installations can be identified easily by using a search engine on the web such as Google. All one needs to do is search for web pages which have the string “Default PLESK Page” in the title.
Once these pages have been located, the email addresses of their owners could be mined from the HTML using a simple script. In most cases, the email addresses embedded in a default page are different from the related WHOIS information. This alone is not a vulnerability in Plesk, however it seems that a piece of software like Plesk should not provide email addresses in a way that they are easily harvested by spammers. In some cases, we found that directories which contained sensitive information regarding file system layout and billing information were publicly accessible. Server administrators should be very conscientious about information disclosed in the default pages.
Plesk default pages could be located in thousands of installations. Spammers can easily harvest email addresses from these default pages. Once harvested, these emails could be used to launch a targeted phishing attack against server administrators to disclose administrator credentials. We encourage Plesk server administrators to not display email addresses via default pages. Perhaps, Plesk will rethink information displayed to the public via default pages as well.