Issue Important: Imunify auto installation and possible data leak

[Fede Marsell]

Server operating system version

AlmaLinux release 8.10

Plesk version and microupdate number

18.0.69

As many PLESK users have seen, a few days ago, the Imunify extension was installed automatically.

This installation was carried out without your consent.

This fact, in itself, is quite serious.

The reason for this post is that it is possible that much of your data has been transferred by this extension from your server to Imunify servers.

If you have seen that Imunify has been automatically installed on your server without your consent, it is urgent that you access your server via SSH and check if your files have been sent to external servers. Simply run the command:

grep Uploaded /var/log/imunify360/console.log

If you see logs like this, it means those files have been transferred to an external server:

INFO [2025-06-26 08:22:28,209] imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/httpdocs/file.php' to the Malware Response Service with reason: extended-suspicious

This issue is being addressed in another POST, but it seems PLESK is unaware of the seriousness of the situation (Resolved - Plesk, what’s going on here? - Imunify auto installation).

If you are a PLESK user and have detected that this extension has been installed without permission, check the logs to see if your files may have been transferred to external servers.

This is very serious.

 

[Azurel]

Unfortunately, I had already deleted these remnants just yesterday – partly based on the advice from Plesk support. Your post, unfortunately, came one day too late for me. It would have been very helpful if someone had pointed out that this area should be checked earlier.

I'm honestly very disappointed with how Plesk has handled this situation.

I’d really appreciate it if others could share what exactly was transferred in their case – particularly whether it included vhost files or even system files, and to what extent. If vhost data was copied, that would raise serious concerns about informing affected users accordingly.

 

[Fede Marsell]

I manage many servers, on almost all of them (99%) Imunify was installed automatically (without consent), and this data transfer appears on all of them.

It would be helpful if someone from Imunify or PLESK could explain how these files, which have been transferred without any consent, are handled.

 

[Sebahat.hadzhi]

As many PLESK users have seen, a few days ago, the Imunify extension was installed automatically.

I have addressed this matter in the previous thread. To sum up, non-Imunify users were not target of this replacement and the installation was not done intentionally.

INFO [2025-06-26 08:22:28,209] imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/httpdocs/file.php' to the Malware Response Service with reason: extended-suspicious

We have discussed this action with the CloudLinux team and it has been confirmed that any sensitive or personal data is excluded from the analysis. According to the information we have now, this functionality is part of paid packages which comes with the specific license. According to our information this check is not initiated by the Imunify installation itself. However none of your personal and sensitive data is included into the security analysis according to CloudLinux team words. If you would like to understand why you see this message in the log saying that there is no license on the server, please, submit a ticket.

 

[Fede Marsell]

this functionality is part of paid packages which comes with the specific license

As I've already told you, that's false.

Affected users can check it for themselves. They just have to run a simple grep: grep Uploaded /var/log/imunify360/console.log

 

[whsplesk]

I can confirm what Fede is saying as well. I did not install nor pay for any license from Immunify360, yet I've just discovered a lot of /vhost files have been uploaded from my server to Immunify.

What exactly does "any sensitive or personal data is excluded from the analysis" mean, and how is it determined?

 

[Azurel]

@whsplesk Which type of file was uploaded, and what raised suspicion?

 

[whsplesk]

@Azurel file types I've seen uploaded from /vhosts so far include .html, .htm, .txt, .cgi, .php, .zip, plus files located in /var/spool/cron/crontabs/

 

[Azurel]

I'm really starting to worry about what kind of data might have leaked from my server to Imunify. Honestly, it's unbelievable how badly they messed this up. Who needs hackers — Plesk does the job?

Sending data without user consent is absolutely unacceptable! An extension like that must ask first. You can't just send off files without permission — that's a total breach of trust.