{"id":10020,"date":"2013-04-29T23:07:52","date_gmt":"2013-04-30T04:07:52","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=10020"},"modified":"2013-04-29T23:15:30","modified_gmt":"2013-04-30T04:15:30","slug":"possible-exploit-vector-for-darkleech-compromises","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=10020","title":{"rendered":"Possible Exploit Vector for DarkLeech Compromises"},"content":{"rendered":"<blockquote><p>The script attempted to exploit the\u00a0<a href=\"http:\/\/kb.parallels.com\/en\/113374\">Horde\/IMP Plesk Webmail Exploit<\/a>\u00a0in vulnerable versions of the Plesk control panel. <strong>By injecting malicious PHP code in the username field<\/strong>, successful attackers are able to bypass authentication and upload files to the\u00a0targeted\u00a0server.\u00a0These types of attacks could be one avenue used in the\u00a0<a href=\"http:\/\/blogs.cisco.com\/security\/apache-darkleech-compromises\/\">DarkLeech<\/a>\u00a0<a href=\"http:\/\/arstechnica.com\/security\/2013\/04\/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites\/\">compromises<\/a>. Although not as common as the Plesk remote access vulnerability (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2012-1557\">CVE-2012-1557<\/a>) described in the\u00a0<a href=\"http:\/\/malwaremustdie.blogspot.jp\/2013\/03\/the-evil-came-back-darkleechs-apache.html\">report<\/a>, it does appear that this vulnerability is being actively exploited.\u00a0<span id=\"more-111123\"><\/span><\/p><\/blockquote>\n<p>via <a href=\"http:\/\/blogs.cisco.com\/security\/possible-exploit-vector-for-darkleech-compromises\/\">Possible Exploit Vector for DarkLeech Compromises<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The script attempted to exploit the\u00a0Horde\/IMP Plesk Webmail Exploit\u00a0in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the\u00a0targeted\u00a0server.\u00a0These types of attacks &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=10020\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[284],"tags":[1125,171,55,698],"class_list":["post-10020","post","type-post","status-publish","format-standard","hentry","category-servers","tag-exploit-vector","tag-perl","tag-php","tag-security-research"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/10020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10020"}],"version-history":[{"count":1,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/10020\/revisions"}],"predecessor-version":[{"id":10021,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/10020\/revisions\/10021"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10020"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}