Hackers in the criminal underground are selling an exploit that extracts the master password needed to control Parallels’ Plesk Panel, a software suite used to remotely administer hosted servers at a large number of Internet hosting firms. The attack comes amid reports from multiple sources indicating a spike in Web site compromises that appear to trace back to Plesk installations.

A miscreant on one very exclusive cybercrime forum has been selling the ability to hack any site running Plesk Panel version 10.4.4 and earlier. The hacker, a longtime member of the forum who has a history of selling reliable software exploits, has even developed a point-and-click tool that he claims can recover the admin password from a vulnerable Plesk installation, as well as read and write files to the Plesk Panel (see screen shot at right).

The exploit is being sold for $8,000 a pop, and according to the seller the vulnerability it targets remains unpatched. Multiple other members appear to have used it and vouched for its value.

It’s unclear whether this claimed exploit is related to a rash of recent attacks against Plesk installations. Sucuri Malware Labs, a company that tracks mass Web site compromises, told SC Magazine that some 50,000 sites have recently been compromised as part of a sustained malware injection attack, and that a majority of the hacked sites involved Plesk installations.

“What is interesting is that most of our clients always used to be using CMSs (like WordPress, Joomla, etc), but lately we are seeing such a large number of just plain HTML sites getting compromised and when we look deeper, they are always using Plesk,” Sucuri’s Daniel Cid said in a follow-up interview with KrebsOnSecurity.com.

In a detailed blog post last month about a new technological advancement in BlackHole exploit kits, malware researcher Denis Sinegubko examined more than a dozen sites that were seeded with the newer BlackHole kits. He discovered that the common link was Plesk, and said the culprit was likely a now-patched security hole in Plesk versions prior to 10.4.

But over the past few days, a number of Plesk users have been flooding the Parallels user forum, complaining of having their servers compromised even though they were running the latest versions of the software.

Tags: 0day, BlackHole Exploit Kit, Daniel Dede, Denis Sinegubko, Plesk 10.4, Plesk 10.4.4, SC Magazine, sucuri security