1.0" exploit & PSA!

2025-04-07

This affects all PLESK PSA versions that use RedHat RPM Linux 7.x and anyone who has openssl version lower that 0.9.7.

The attacker hits the openssl with the child jammer request of "GET /sumthin HTTP/1.0"

You can see this in your logs.

Multiple apache child processes get wedged together and stall, during this time the intruder proceeds to establish some sort of scanning mechanism that binds itself to port 443 taking up the place of the stalled child PID's in an attempt to conceal itself. But just at that moment a change is made via PSA control panel and apache restarts.

Thus it exits with the [crit] cannot bind to port 443 error, because the apache scanner is still bound port 443.

It appears that a sigterm will not kill this scanner. So a cron job that tries to restart apache will not work here and it takes a reboot to kill all processes and thus clearing the port again for normal use.

This can cause minutes and possible hours(if not noticed) of downtime!