2012-05-13 20:43

So after 17 years of running servers on the open Net, I got hacked on March 2.

Or as Jon Cox (@generic_person) put it, with probably greater accuracy: “It’s more realistic to say ‘I detected my first hack.’”

I discovered the break-in by finding an unknown file in /cgi-bin on one of my domains. When I brought it down to my local machine for a look-see, it triggered ClamXav. (Yes, since Flashback I run AV routinely on the Mac.)

Dan O’Neill (@dkoneill) did most of the heavy lifting in figuring out where the vulnerability was.

Plesk, the hosting management package I’ve used for years, had a remote vulnerability that got exploited around February 24 to insert and run a DDoS bot.

Parallels (who now owns Plesk) patched the hole quickly, within a few days. I didn’t hear about it; I don’t get push notifications from them. I’m not their customer, after all. My hosting company is.

The thing that got dropped on me (using Plesk’s XML-RPC), probably by an automatic exploit process trolling the Net for vulnerable Plesk installations, was this DDoS package that says in the source that it is “part of the Gootkit ddos system.”

The comments are in Russian.

Ten of the domains on my server got a randomly named file in /cgi-bin (1,720 lines, 62,934 bytes). Each of the Unix login accounts associated with those domains got a cron job installed that ran once a minute to fire off the perl program.

I have more than two dozen domains on that server. The reason I assume an automated process is that it stopped at ten.

My server was part of a DDoS botnet for 71 days, but it never got called up. The outgoing bandwidth from March onward shows no unusual spikes. And I didn’t wind up on any blackhole lists.

This guy posted a description of the exploit with detailed instructions for patching it up by hand on a Plesk installation. Good thing he did, because my GUI access to Plesk updates is busted. Who knows how long it has been? I haven’t been checking. As part of the process of cleaning up after the hack, I brought my Plesk 9.5.4 installation up-to-date with all patches, via the command line. GUI access to updating is still kaput.

Symantec says that Trojan.Gootkit was discovered May 11, 2010, and characterizes its risk level as “Very Low.” Troy Hunt blogged about Gootkit in September 2011 and noticed from his referer logs that there was suddenly a great deal of interest in that keyword. We can infer that Gootkit went wide at about this point. The bad guys’ exploitation of the hole in Plesk seems to date from February of this year.