Issue Important: Imunify auto installation and possible data leak

[Fede Marsell]

Server operating system version

AlmaLinux release 8.10

Plesk version and microupdate number

18.0.69

As many PLESK users have seen, a few days ago, the Imunify extension was installed automatically.

This installation was carried out without your consent.

This fact, in itself, is quite serious.

The reason for this post is that it is possible that much of your data has been transferred by this extension from your server to Imunify servers.

If you have seen that Imunify has been automatically installed on your server without your consent, it is urgent that you access your server via SSH and check if your files have been sent to external servers. Simply run the command:

grep Uploaded /var/log/imunify360/console.log

If you see logs like this, it means those files have been transferred to an external server:

INFO [2025-06-26 08:22:28,209] imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/httpdocs/file.php' to the Malware Response Service with reason: extended-suspicious

This issue is being addressed in another POST, but it seems PLESK is unaware of the seriousness of the situation (Resolved - Plesk, what’s going on here? - Imunify auto installation).

If you are a PLESK user and have detected that this extension has been installed without permission, check the logs to see if your files may have been transferred to external servers.

This is very serious.

 

[Azurel]

Unfortunately, I had already deleted these remnants just yesterday – partly based on the advice from Plesk support. Your post, unfortunately, came one day too late for me. It would have been very helpful if someone had pointed out that this area should be checked earlier.

I'm honestly very disappointed with how Plesk has handled this situation.

I’d really appreciate it if others could share what exactly was transferred in their case – particularly whether it included vhost files or even system files, and to what extent. If vhost data was copied, that would raise serious concerns about informing affected users accordingly.

 

[Fede Marsell]

I manage many servers, on almost all of them (99%) Imunify was installed automatically (without consent), and this data transfer appears on all of them.

It would be helpful if someone from Imunify or PLESK could explain how these files, which have been transferred without any consent, are handled.

 

[Sebahat.hadzhi]

As many PLESK users have seen, a few days ago, the Imunify extension was installed automatically.

I have addressed this matter in the previous thread. To sum up, non-Imunify users were not target of this replacement and the installation was not done intentionally.

INFO [2025-06-26 08:22:28,209] imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/httpdocs/file.php' to the Malware Response Service with reason: extended-suspicious

We have discussed this action with the CloudLinux team and it has been confirmed that any sensitive or personal data is excluded from the analysis. According to the information we have now, this functionality is part of paid packages which comes with the specific license. According to our information this check is not initiated by the Imunify installation itself. However none of your personal and sensitive data is included into the security analysis according to CloudLinux team words. If you would like to understand why you see this message in the log saying that there is no license on the server, please, submit a ticket.

 

[Fede Marsell]

this functionality is part of paid packages which comes with the specific license

As I've already told you, that's false.

Affected users can check it for themselves. They just have to run a simple grep: grep Uploaded /var/log/imunify360/console.log

 

[whsplesk]

I can confirm what Fede is saying as well. I did not install nor pay for any license from Immunify360, yet I've just discovered a lot of /vhost files have been uploaded from my server to Immunify.

What exactly does "any sensitive or personal data is excluded from the analysis" mean, and how is it determined?

 

[Azurel]

@whsplesk Which type of file was uploaded, and what raised suspicion?

 

[whsplesk]

@Azurel file types I've seen uploaded from /vhosts so far include .html, .htm, .txt, .cgi, .php, .zip, plus files located in /var/spool/cron/crontabs/

 

[Azurel]

I'm really starting to worry about what kind of data might have leaked from my server to Imunify. Honestly, it's unbelievable how badly they messed this up. Who needs hackers — Plesk does the job?

Sending data without user consent is absolutely unacceptable! An extension like that must ask first. You can't just send off files without permission — that's a total breach of trust.

 

[Fede Marsell]

This affects thousands of servers running PLESK, yet here we are, just three users concerned about security.

The rest of the community seems asleep.

I've been managing servers for decades, and the current feeling is that no one cares about security.

Plesk installs extensions without your consent. That extension sends your data to external servers without your knowledge, something that should be reported as an illegal practice.

But like I said, here we are. One post, eight replies, three users.

And what does PLESK do? Taking us for fools.

@Azurel file types I've seen uploaded from /vhosts so far include .html, .htm, .txt, .cgi, .php, .zip, plus files located in /var/spool/cron/crontabs/

I checked this on many servers, file by file, to see if they were infected or had injected code. Of 60 files manually analyzed, only one, wp-config.php, had injected code. The others were transferred for no reason.

 

[Hangover2]

We can also confirm that files are being uploaded by the free Imunify extension to external servers. This behavior cannot be avoided, as the option to disable it is simply missing. Only the more advanced Imunify360 offers the possibility to disable the automatic sending of suspicious and malicious files for analysis in the GUI. Depending on what was transmitted, this could now have caused data protection breaches on thousands of servers, requiring the owners to officially report them to the authorities and the affected users.

 

[Fede Marsell]

Thank you for your confirmation @Hangover2

You are correct. Affected users should save the logs directory /var/log/imunify360/ as proof of the illegal data transfer. This is necessary for future action.

 

[Ekaterina Babenko]

Hello everyone.
My name is Ekaterina and I am product manager of Imunify extension in Plesk.

I investigated this matter with CloudLinux and would like to share with you the findings.
Thank you for your patience.

Imunify is widely acknowledged as a reputable and trusted security extension, consistently demonstrating its effectiveness and reliability across a broad user base.To further ensure data protection, I conducted an internal review in collaboration with the CloudLinux team.

As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server.

It means that the personal/senstivie data is not transferred externally or stored on their analysis server.

CloudLinux team has no intent and do not use any personal or sensitive data and only suspicious/malicious information is analysed in order to provide security on the server.

Appreciate your understanding.

 

[Fede Marsell]

Imunify is widely acknowledged as a reputable and trusted security extension, consistently demonstrating its effectiveness and reliability across a broad user base.To further ensure data protection, I conducted an internal review in collaboration with the CloudLinux team.

That information is irrelevant.

We're talking about unauthorized installations and data transfers without any kind of consent. I believe PLESK is unaware of either the seriousness of the situation or its legal responsibility.

As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server.

It means that the personal/senstivie data is not transferred externally or stored on their analysis server.

The evidence indicates the opposite. And any user can verify this. In fact, many have already verified it.

An example of the transfer of files called config.php. None of them, I repeat: none of them contain malware. They are legitimate files.

INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/config.php' to the Malware Response Service with reason: extended-suspicious

PLESK's response is clearly deficient. The severity of the situation would require decisive measures.

 

[Fede Marsell]

Who decides which post is the best? PLESK decides its own answer is the best? Is this a joke?

I find it incredible how you are handling this matter.

 

[whsplesk]

@Ekaterina Babenko, respectfully, this statement:

"As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server. It means that the personal/senstivie data is not transferred externally or stored on their analysis server."

is a complete brush off of the specific, serious concerns presented in this thread.

Saying "JUST TRUST US!" when Imunify claims that no "personal or sensitive data" is used or kept in any way is really beside the point and simply doesn't cut it, either ethically and I would have to assume legally as well.