• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue hacked wordpess got root:root files in his account. is it cleanable ?

orenk

Basic Pleskian
a customer of mine just used a hacked plugin, and got his website hacked... His problem...
but.
in his storage, I found very disturbing things.. Many files with root:root access... and not normal PHP files.
take a look at the pictures.

Any Suggestions ?
I Think the server is totally hacked.
unless you think this is normal for user to have such access. (bash with root access)


1595144075662.png1595144108610.png1595144146548.png
 
SSH to the server, and then I type
# su <hacked username>
and then
# groups
I get 'root' in the group lists... it means the user somehow got a root permissions... or something...

Anyway, I think a wordpress instance, should not have the ability to create links to those files (assuming those are links) it probably runs shell scripts through PHP.
Server image restored from backup, but this case I got right away... what about other cases that we dont have control ?
I can make a script that run every few minutes to checks all users permissions and groups. but maybe PLESK Security Team should worry about that too ..
 
# groups <domain ftp user>
I dont get 'root' on any user from my server.

Can you check without su?
# groups <hacked username>
 
Thanks for the idea...
The hacked account it didn't got into root or any suspicious groups, its group list is normal as any other account.
somehow it linked some system libraries into the accounts' folder, without any SSH access or access to PLESK panel. only through WORDPRESS. that is still anoying.
 
For the future, I suggest to add this line to "additional configuration directives" of PHP:
Code:
disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen
Else PHP is able to execute system commands, even if SSH permission is not granted. It can be possible to hijack the whole server through a PHP script when the script gains access to system level commands.
 
For the future, I suggest to add this line to "additional configuration directives" of PHP:
Code:
disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen
Else PHP is able to execute system commands, even if SSH permission is not granted. It can be possible to hijack the whole server through a PHP script when the script gains access to system level commands.
I am absolutely agree with this, it's always the first thing that we do.
 
For the future, I suggest to add this line to "additional configuration directives" of PHP:
Code:
disable_functions=exec,passthru,shell_exec,system,popen,show_source,pcntl_exec,proc_open,proc_terminate,proc_close,pfsockopen
Else PHP is able to execute system commands, even if SSH permission is not granted. It can be possible to hijack the whole server through a PHP script when the script gains access to system level commands.
Maybe this should be added as default, at installation time.

Do you have any more tips/guides to secure plesk servers ?
 
Do you have any more tips/guides to secure plesk servers ?
Something many people don't do, but which is absolutely essential, is to remove the execution permissions from your server wide /tmp path or partition. For example when /tmp is a separate partition, edit /etc/fstab, change
Code:
/dev/sda3 /tmp ext4 defaults 0 0
to
Code:
/dev/sda3 /tmp ext4 defaults,nodev,nosuid,noexec 0 0
where "/dev/sda3" ist just one possible location (example) of the /tmp partition. It might be a different device on your system. Edit the correct entry using the correct device name that applies to your system.
 
Back
Top