A flaw found in some versions of hosting control panel Parallels Plesk Panel has played a significant role in the recent attacks on Federal Trade Commission’s websites, according to a report by Ars Technica.
The flaw discovered in Parallels Plesk Panel, which enables hosting providers to remotely perform administration tasks of servers, could affect those hosting companies that have not recently updated the software, along with their customers.
The security incident is certainly a cautionary tale for those hosting companies and end users, reminding how important it is to regularly maintain software updates and implement security patches.
One of the affected organizations was public relations agency Fleishman-Hilliard who was hosting FTC websites on Media Temple’s servers before it was hacked by Anonymous’ Antisec collective last week. Media Temple has since requested the company to move its content to another web host’s servers.
Media Temple uses multiple versions of Plesk depending on the customer including Plesk 8, 9, or 10. According to cited sources familiar with the FTC websites hacks, Plesk was at least partially used by the Anonymous hackers to access the sites. It is still not entirely clear if Media Temple knew how critical the Plesk flaw was at the time the FTC sites were hacked.
Media Temple chief marketing officer Kim Brubeckas said the company was unaware that Fleishman-Hilliard was going to use its servers to host government accounts and, had it known, it would have advised them against it since the company is not a “FISMA-certified hosting service”.
The Plesk flaw allows a third-party individual or group to update user accounts, files, and security of a website, meaning the hackers could still potentially gain access to sites they have compromised even after hosting companies and their customers apply the security fixes.
Security experts are recommending that those customers of hosting companies that uses Plesk should double-check the content on their servers and accounts, and immediately change their passwords.
In an update posted on its website, Parallels says that the flaw applies to Plesk 9.x for Linux/Unix, Plesk 8.x for Linux/Unix, Plesk 9.x for Windows, Plesk 8.x for Windows, Plesk 10.0.x for Windows, Plesk 10.1.x for Windows, Plesk 10.2.x for Windows, Plesk 10.3.x for Windows, Plesk 10.0.x for Linux/Unix, Plesk 10.1.x for Linux/Unix, Plesk 10.2.x for Linux/Unix, and Plesk 10.3.x for Linux/Unix.
However, it confirms that “the issue has been completely fixed in Plesk 8.6 MU#2, 9.5 MU#11, 10.3 MU#5 and later.” The company has posted the fixes on the page.