I wrote again about the infected PLESK systems, Brian Krebs wrote about the topic some time later in the year (http://krebsonsecurity.com/2012/07/plesk-0day-for-sale-as-thousands-of-sites-hacked/) but until now I didn’t see any post on the actual infected servers.
I took some time during the holidays to fix my http-plesk-backdoor.nse script and make a more wide search for infected and still compromised PLESK installations. The work is still in progress and the stats below are rough stats.
There are 256 A class networks , 0.0.0.0/8 to 255.0.0.0/8 , each block has a possible of 16.777.216 addresses, not everything is in use from the /8 networks and many are reserved ( more at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml ). I started my search results from the European networks, allocated in RIPE NCC and I will move to ARIN (USA based networks) and then to the rest.
How long does it take to scan an entire A class, is totally based on your ISP tolerance and the connectivity that your server has to the internet. Scanning an European range from a server that is outside the EU network will take more time but nothing extreme estimate a total added time of 20-30 minutes in one scan. My scans took around 10 hours to complete for each A class ( for 16.777.216 addresses ), with the script execution time combined.
Initially I thought that the script execution will take a huge amount of time comparing to the scanning results of nmap, but the scripting engine is doing a great job on the nse scripts, and the time added is roughly one extra hour when the script is used.
Results so far:
6 European based networks scanned (100.663.296 addresses), 91.970 systems with the port 8443 open (not all of them are PLESK servers).
Compromised / Infected PLESK systems: 3.094
Number of domains on the hacked above servers: 15.979
The number of domains is an estimation based on the ‘feature’ that many PLESK installations provide allowing a reverse DNS lookup on the server IP, that will return all the domains that are currently hosted in that server.
If you need details on the networks and the hosts that are found infected please contact via email with a valid reason.