Hackers have in the past few weeks on various servers of Hostnet compromised via a vulnerability in website Plesk. Here are login credentials of customers captured. The hosting company calls the affected customers to change passwords.
The attackers are the servers received via a serious vulnerability in Plesk, a management tool for servers that makes it possible to create a domain via a web interface to manage. It is not known how many servers of Hostnet, the hackers have managed to inloggevens to get and how many customers this affects. To own say Hostnet more than 165,000 customers. Hostnet has the customers which the company knows that they have been affected, personally informed, and then the other customers informed.
According to Hostnet have the attackers at the end of January, all access to the servers. Although not known, the number of affected servers is likely that servers with a vulnerable version of Plesk, because the update for the leak to be sealed later came out. The hosting company was itself only on February 10, informed of the vulnerability in Plesk and when the leak poem.
“Additional control of the relevant systems gave at that time no reason to believe that the vulnerability was actively abused,” said Steven Mohamedajoeb, operations manager at Hostnet. “In the night of 4 on 5 march we saw, however, suddenly abnormal behaviour on some servers, because this Facebook began to fall.”
Additional research of the company pointed out then that the attackers on various servers had struck. “We have about 2000 servers, most of the Plesk is running. Fortunately, the majority will not be susceptible, because the used Plesk version is not susceptible or because the api access to Plesk was limited.”
Mohamedajoeb, that’s still not exactly clear is how many servers there fell prey to the attackers. “Not every server is touched, it seems a little arbitrary. The attack patterns suggest that they have made use of automated scripts and thoroughly prepared.”
Because the attackers, a flaw in the api of Plesk have been abused, they have also easy access to login credentials of other domains once they have a vulnerable domain. “Our research is not completed yet, but it seems that the attackers through a vulnerable domain by the use of the Plesk api easily were able to also see the data of other domains on that server in your hands.”
The attackers have in the past few weeks undisturbed to their own devices. The total size of the aanvalsoperatie is yet to be evaluated. It is clear that both in the Netherlands and worldwide, various hosting companies have become a victim. Earlier this week, it was announced that Proserve’s customers hacked. Also with this hosting company were compromised servers used to Facebook to attack, what the attackers this week also temporarily seems to have been successful.