A critical vulnerability in some versions of Parallels' Plesk Panel control panel software appears to have been key to the recent penetration of two servers hosting websites for the Federal Trade Commission. The vulnerability in the software, which is used for remote administration of hosted servers at a large number of Internet hosting companies, could spell bad news for hosting providers who haven't applied the latest updates, as well as their customers.

Because the vulnerability allows someone to make significant changes to the user accounts, files, and security of a targeted site, hackers who took advantage of the Plesk vulnerability may still have access to sites they have breached even after patches are applied. If your site is hosted with a provider that uses Plesk for site administration, it's worth taking a good look at the content on your server, and the accounts configured to access it—and resetting all your accounts' passwords.

Originally developed by Virginia-based Plesk Inc., and acquired by Parallels (then SWSoft) in 2003, Plesk allows an administrator to create FTP and e-mail accounts, as well as manage other aspects of the associated hosting account. And as with other control panel applications for hosted sites, such as CPanel, it can also draw on an "Application Vault" to install common software packages (i.e., Drupal CMS and WordPress blog software) that are preconfigured for the hosting environment.

Plesk is widely used in the hosting industry. Rackspace offers Plesk-based control of some hosting accounts, as does Media Temple—the hosting provider whose servers housed the FTC sites business.ftc.gov and OnGuardOnline.gov, among others. The software is also used by government and educational institutions; the Department of Energy's Lawrence Berkeley National Laboratory uses it as part of its web self-service. That sort of footprint makes Plesk a prime target for hackers looking to take control of websites.

Keys to the kingdom

On some hosting platforms, it's also possible to create an FTP account that can gain access through a secure shell (SSH) terminal session, as documented by Media Temple's knowledge base. In the case of the FTC hacks, it appears that just such an account was used to gain access to Media Temple's servers, pull data from the MySQL databases powering the Drupal and WordPress sites, and then delete the contents of the server and post new content—going well beyond the usual sort of web defacement.

There's reason for concern that the breaches may well extend well beyond the FTC servers, and beyond Media Temple. Members of the Antisec group have claimed they have a substantial number of other government sites already compromised and ready for defacement.

The critical vulnerability in Plesk as described by Parallels in a knowledge-base entry is in the API of a number of versions of the software. Other applications can drive Plesk through a PHP interface called agent.php; the vulnerability allows hackers to use a SQL injection attack—sending SQL queries to the interface as part of a post—and thereby gaining access to the Plesk server software with full administrative access. They could then create accounts that give them the ability to log into the server remotely with administrative rights. And in cases where administrators could create accounts with SSH access, they could create new user accounts with full access to the file system that could then be used to further exploit the host itself.

Parallels product manager Blake Tyra said in a Plesk forum post that patches that fix the agent.php vulnerability have been available since September. But according to some customers, the e-mail alerting them to the critical nature of the vulnerability in unpatched versions of Plesk was not sent until February 10. That e-mail advised customers to apply updates immediately to versions 8, 9, and 10 of the software if they had not already been patched. "Parallels has been informed of a SQL injection security vulnerability in some older versions of Plesk," the message read. "Parallels takes the security of our customers very seriously and urges you to act quickly by applying these patches."

Beyond applying the patch, Tyra said that fixing the vulnerability would also require the resetting of all customer's passwords. "If they were already at the identified update levels, you should be OK," he wrote. "If not, and you see POST requests to agent.php that are not from you (or any components you have that may be integrating with Plesk), prior to applying the updates, this could be cause for concern. Any requests to agent.php after applying the updates should be harmless. Because of the nature of the vulnerability (i.e. SQL injection), there is the potential for the attacker to maintain access to the server even after the original entry point was closed if they gained access to any user accounts. Especially because of the last point, this is why we recommend that any compromised server have its passwords reset as soon as possible."

But even then, the damage may already have been done, through installation of other back-doors on the system. And some Plesk customers have expressed concern over whether the patches have been effective in shutting down the exploit, especially if they've already been hacked. Parallels did not respond to inquiries from Ars about the exploit.

Media Temple, for its part, runs multiple versions of Plesk; depending on when customers acquired a server and whether they have upgraded service, their server may be running Plesk 8, 9, or 10 based on a random sampling of sites checked by Ars. According to sources familiar with the hack of the FTC sites on Media Temple's servers, Plesk was at least part of the route members of Anonymous' Antisec collective used to gain access to the sites. And it's not clear whether Media Temple was aware of the critical nature of the Plesk vulnerability at the time the sites were hacked—the first site was defaced on January 24, and the second server may have already been compromised by the time Parallels' alert email was sent out.

In a follow-up interview with Ars, Media Temple chief marketing officer Kim Brubeck said that Media Temple was "dealing with an additional problem with Plesk," but would not say if it was directly connected to the FTC site breaches.

There's reason for concern that the breaches may well extend well beyond the FTC servers, and beyond Media Temple. Members of the Antisec group have claimed they have a substantial number of other government sites already compromised and ready for defacement. That doesn't begin to include the potential number of sites powered by Plesk-connected servers that have been compromised for other purposes, including the infection of sites with malware, creation of malicious pages within sites for use in clickjacking attacks, or other more covert hacking and fraud schemes.

Not ready for .gov

When Media Temple knew about the Plesk problem isn't the only thing in doubt in the FTC site hacks. There's also the question of whether the sites should have been on Media Temple in the first place, and whether they were prepared for the security implications of hosting even a relatively harmless federal government "microsite." Media Temple and Fleishman-Hilliard (the global public relations firm that developed the FTC sites that were hacked) have given conflicting accounts regarding whether Media Temple knew it was hosting federal government websites, and whether it presented itself as ready to handle the potential elevated security issues that came with them.

Brubeck had previously hinted that the blame for the hack belonged with Fleishman-Hilliard, because they had declined to update application software on the site. And she had said that Media Temple, as a policy, did not pursue government customers, because the company's data center is not certified as compliant with Federal Information Security Management Act (FISMA) regulations.

But since the sites built by Fleishman-Hilliard were "microsites," containing mostly consumer-facing information and not handling personal data, they didn't fall under the government's FISMA security regulations. According to Fleishman-Hilliard's Washington, DC web services team leader Dave Gardner, the FTC's use of Media Temple dates back to 2010, when he and his team introduced the agency to the hosting provider as a low-cost option for hosting Drupal-based websites.

In June of 2010, Gardner called Media Temple's support center to ask if the company was hosting any other government customers. In an e-mail Gardner shared with Ars, a support representative for Media Temple told Gardner, "we do host government sites, and the servers are in compliance with your needs because of previous inquiries and customers."

That exchange apparently came as news to Brubeck, who told Ars in an intial interview that Media Temple wasn't interested in hosting .gov sites, because hosting government domains "paints a big bulls-eye" on servers for attention from hackers such as Anonymous. According to Brubeck, Media Temple's executives were unaware that the FTC was hosting .gov sites on the company's virtual dedicated host service until the FTC hack occurred.

That lack of awareness was apparently in spite of the fact that it was the FTC that actually paid for the service, receiving invoices directly from the hosting company. When asked about the why Media Temple didn't know that servers that were being paid for directly by the government were running government sites, Brubeck said that the account was flagged by Media Temple's strategic accounts group as a "creative" account because Fleishman-Hilliard made the initial contact with them. The invoicing could be set up however the customer wanted, she said, and "unfortunately, the system doesn't flag us for things like that."

The FTC isn't the only federal agency that used Media Temple. For example, the Department of Health and Human Services uses the provider to host another Drupal-based site for the Presidential Commission for the Study of Bioethical Issues, Bioethics.gov. A number of state and local governments also operate .gov domains on Media Temple.

"For Media Temple to claim ignorance of hosting the FTC—or other government—sites is completely false," said Bill Pendergast, the general manager of Fleishman-Hilliard's DC operations. "In their own words, Media Temple is deep in this area, with what they claim to be the appropriate level of compliance. It's hard to see how their fiction helps anyone get to a constructive outcome."

Media Temple is now eager to get the .gov bullseye off its back. The company contacted Fleishman-Hilliard and the FTC after the second server breach, asking them to move any additional sites off the hosting company's servers within 48 hours.

Further technical details on the hack may be a while in coming from Media Temple or the FTC. The FBI is now investigating the case, and both the hosting company and the FTC have declined to comment further.