Parallels Plesk Panel 11 Nulled Code
Argimiro Krishnamoorthy
Williams analyzed the attack code released by Kingcope and said that "the script exploits the vulnerable versions of the Plesk control panel by injecting malicious PHP code, allowing successful attackers to execute arbitrary commands with the privileges of the Apache server userid."
"Those unable to disable the vulnerable version of Plesk or upgrade to more recent, unaffected code should consider additional hardening outside of PHP, such as running their Apache instance within a chroot environment or restricting access to the Plesk control panel, e.g. via IP ACLs [access control lists] or HTTP authentication," Williams said.
What command not found!? After a few puzzling moments later I realized it, that is the end of my panel admin's password! In the original form the password was [lot of characters here]>AB12. Somebody at the Parallels goofed! What would happen if your password has special characters. What if some of those characters were special in your command prompt? Not very solid backup code, huh!
Above, you can see the command injection attempt contained in the POST body. In this proof of concept, the command being executed by the exploit is a fairly benign system call, but this could easily be modified to do something more nefarious. In fact, in my previous blog, we saw attackers making use of a very similar vulnerability to form an IRC-based botnet. As always, affected servers should disable the vulnerable panel or upgrade to the latest version, which is not vulnerable. Those unable to disable the vulnerable version of Plesk or upgrade to more recent, unaffected code should consider additional hardening outside of PHP, such as running their Apache instance within a chroot environment or restricting access to the Plesk Control Panel, e.g. via IP ACLs or HTTP authentication.
Now, you should submit the CSR file to the Certificate Authority to purchase an SSL certificate. Once CA verifies your CSR request, SSL/TLS Certificate will be issued in the form of either a *.crt file or *.pem file. After generating the CSR code and Private Key, you are all set to proceed with the installation of the SSL certificate on Plesk Onyx version 17 control panel.
Plesk web hosting control panel with an intuitive graphical interface, a ready-to-code environment and powerful extensions. It comes with a complete set of security tools and features for your apps, websites, networks, servers and OSes.
How to run web socket scripts coded in PHP in the Plesk web hosting control panel. I need to run the PHP WebSocket scripted in PHP 24/7/365. The path of the script named websocket_server.php lies in the path: /var/www/vhosts/abc.xy/httpdocs/proj_ci/application/libraries/websocket_server.php
A single control panel with an intuitive graphical interface, a ready-to-code environment and powerful extensions. Peace of mind with a complete set of security tools and features for your apps, websites, networks, servers and OSes. Easily harden your properties and automate your security. Focus on your business, not on infrastructure management. Schedule server related tasks and automate intelligent maintenance.
e2b47a7662