Security Street Knowledge
  • RunForestRun PLESK Panel Hack
  • By: QJax – Recently website owners have been hit by a new attack that injects obfuscated code hidden within their legitimate .js file. SC Magazine is reporting “Plesk zero-day may be behind thousands of hacked sites”.  The malicious code is also found in ASP.NET pages and pure HTML pages.

    The original hack happened a few months ago when the attacker(s) used a Plesk Panel 0-day exploit to exfiltrate valid usernames & passwords from several websites running the vulnerable PLESK PANEL consoles.  The vulnerability allows the Plesk database to be read with the ability to view all the data stored in Clear-(freakin)-Text.  Once compromised, the attacker simply uses a valid account to alter JavaScript files on the site and then redirect unsuspecting visitors to a malicious site controlled by the attacker.


    Below is a FREE tool that will predict RunForestRun malicious domains.

    This code will generate future domains that the Plesk RunForestRun hack uses.  It is currently set for 30 days and generates 2 domains for each day. (before noon/ afternoon) starting at the date you provide!

    Example: hxxp://

    What is the starting date? (mm/dd/yr)


    The Attack Scenerio Explained

    1. Attacker exploits Plesk vulnerability to obtain user accounts (possibly months in advance)

    2. Attacker then uses his access to modify JavaScript files.

    3. The modification appends an iframe with a malicious script obfuscated to hide its functionality.

    4. The the malicious JavaScript will generate a seemingly random domain name every 12 hours. (based on date and time before noon or afternoon)

    5. The malicious domain will redirect the victim to a botnet that will execute the package Blackhole Exploit Kit.

    How to detect a compromised site

    • – Check your logs for valid Plesk logins from IP addresses that don’t belong to you.

    • – Check all JavaScripts for an Iframe with payload below:

    Payload of Obfuscated JavaScript

    The script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:

    How can I view the deobfuscated JavaScript?

    Just use the Firefox Add-on “Firebug” to see the JavaScript after it has been processed by the browser.  Be sure to do this in a virtual machine to avoid being hacked while testing.

    • – The hacked site below was found on July 12, 2012 using a Google Dork >


    You can also use   to search for computers based on the “pleskwin” found in the HTTP header and filter on geography, operating system, IP address and more.

    PLESK Infected with RunForestRun exploit <CLICK TO ENLARGE>



    Fixing the Hacked site & Plesk Vulnerability?

    1. Remove the malicious JavaScript appended to your .JS files

    *First to find all the infected files:

    grep -rl –include=*.{php,js,html,htm} “km0ae9gr6m”

    *Next to remove the offending line:

    grep -rl –include=*.{php,js,html,htm} “km0ae9gr6m” * | xargs sed -i -e ’s/\/\*km0ae9gr6m/\n&/g’ -e ’s/qhk6sa6g1c\*\//&\n/g’ -e ‘/km0ae9gr6m*/,/qhk6sa6g1c/d’

    *This is how to break Plesk’s compromised File Manager if you don’t want to update to Plesk v11):

    cd /usr/local/psa/admin/htdocs/filemanager/

    mv filemanager.php filemanager._hp

    2. Change ALL of your Plesk console passwords!

    3. If you have a Plesk 8.x, Plesk 9.x or Plesk 10 server you should update to Plesk 11<HERE>.

    4. BLOCK the predictable generated domains to prevent users on your network from becoming a victim.


    Where can I find the exploit kit?

    1. Information about the exploit kit is here.

    2. Other disclosed PLESK hacks are here >



  • Comments: No Category: Uncategorized
  • Tags: , , , , , , , , , , , ,

Leave a Reply