Issue Important: Imunify auto installation and possible data leak

[Fede Marsell]

Server operating system version

AlmaLinux release 8.10, Ubuntu 22.04, Ubuntu 24.04

Plesk version and microupdate number

18.0.69, 18.0.70

As many PLESK users have seen, a few days ago, the Imunify extension was installed automatically.

This installation was carried out without your consent.

This fact, in itself, is quite serious.

The reason for this post is that it is possible that much of your data has been transferred by this extension from your server to Imunify servers.

If you have seen that Imunify has been automatically installed on your server without your consent, it is urgent that you access your server via SSH and check if your files have been sent to external servers. Simply run the command:

grep Uploaded /var/log/imunify360/console.log

If you see logs like this, it means those files have been transferred to an external server:

INFO [2025-06-26 08:22:28,209] imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/httpdocs/file.php' to the Malware Response Service with reason: extended-suspicious

This issue is being addressed in another POST, but it seems PLESK is unaware of the seriousness of the situation (Resolved - Plesk, what’s going on here? - Imunify auto installation).

If you are a PLESK user and have detected that this extension has been installed without permission, check the logs to see if your files may have been transferred to external servers.

This is very serious.

 

[Azurel]

Unfortunately, I had already deleted these remnants just yesterday – partly based on the advice from Plesk support. Your post, unfortunately, came one day too late for me. It would have been very helpful if someone had pointed out that this area should be checked earlier.

I'm honestly very disappointed with how Plesk has handled this situation.

I’d really appreciate it if others could share what exactly was transferred in their case – particularly whether it included vhost files or even system files, and to what extent. If vhost data was copied, that would raise serious concerns about informing affected users accordingly.

 

[Fede Marsell]

I manage many servers, on almost all of them (99%) Imunify was installed automatically (without consent), and this data transfer appears on all of them.

It would be helpful if someone from Imunify or PLESK could explain how these files, which have been transferred without any consent, are handled.

 

[Sebahat.hadzhi]

As many PLESK users have seen, a few days ago, the Imunify extension was installed automatically.

I have addressed this matter in the previous thread. To sum up, non-Imunify users were not target of this replacement and the installation was not done intentionally.

INFO [2025-06-26 08:22:28,209] imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/httpdocs/file.php' to the Malware Response Service with reason: extended-suspicious

We have discussed this action with the CloudLinux team and it has been confirmed that any sensitive or personal data is excluded from the analysis. According to the information we have now, this functionality is part of paid packages which comes with the specific license. According to our information this check is not initiated by the Imunify installation itself. However none of your personal and sensitive data is included into the security analysis according to CloudLinux team words. If you would like to understand why you see this message in the log saying that there is no license on the server, please, submit a ticket.

 

[Fede Marsell]

this functionality is part of paid packages which comes with the specific license

As I've already told you, that's false.

Affected users can check it for themselves. They just have to run a simple grep: grep Uploaded /var/log/imunify360/console.log

 

[whsplesk]

I can confirm what Fede is saying as well. I did not install nor pay for any license from Immunify360, yet I've just discovered a lot of /vhost files have been uploaded from my server to Immunify.

What exactly does "any sensitive or personal data is excluded from the analysis" mean, and how is it determined?

 

[Azurel]

@whsplesk Which type of file was uploaded, and what raised suspicion?

 

[whsplesk]

@Azurel file types I've seen uploaded from /vhosts so far include .html, .htm, .txt, .cgi, .php, .zip, plus files located in /var/spool/cron/crontabs/

 

[Azurel]

I'm really starting to worry about what kind of data might have leaked from my server to Imunify. Honestly, it's unbelievable how badly they messed this up. Who needs hackers — Plesk does the job?

Sending data without user consent is absolutely unacceptable! An extension like that must ask first. You can't just send off files without permission — that's a total breach of trust.

 

[Fede Marsell]

This affects thousands of servers running PLESK, yet here we are, just three users concerned about security.

The rest of the community seems asleep.

I've been managing servers for decades, and the current feeling is that no one cares about security.

Plesk installs extensions without your consent. That extension sends your data to external servers without your knowledge, something that should be reported as an illegal practice.

But like I said, here we are. One post, eight replies, three users.

And what does PLESK do? Taking us for fools.

@Azurel file types I've seen uploaded from /vhosts so far include .html, .htm, .txt, .cgi, .php, .zip, plus files located in /var/spool/cron/crontabs/

I checked this on many servers, file by file, to see if they were infected or had injected code. Of 60 files manually analyzed, only one, wp-config.php, had injected code. The others were transferred for no reason.

 

[Hangover2]

We can also confirm that files are being uploaded by the free Imunify extension to external servers. This behavior cannot be avoided, as the option to disable it is simply missing. Only the more advanced Imunify360 offers the possibility to disable the automatic sending of suspicious and malicious files for analysis in the GUI. Depending on what was transmitted, this could now have caused data protection breaches on thousands of servers, requiring the owners to officially report them to the authorities and the affected users.

 

[Fede Marsell]

Thank you for your confirmation @Hangover2

You are correct. Affected users should save the logs directory /var/log/imunify360/ as proof of the illegal data transfer. This is necessary for future action.

 

[Ekaterina Babenko]

Hello everyone.
My name is Ekaterina and I am product manager of Imunify extension in Plesk.

I investigated this matter with CloudLinux and would like to share with you the findings.
Thank you for your patience.

Imunify is widely acknowledged as a reputable and trusted security extension, consistently demonstrating its effectiveness and reliability across a broad user base.To further ensure data protection, I conducted an internal review in collaboration with the CloudLinux team.

As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server.

It means that the personal/senstivie data is not transferred externally or stored on their analysis server.

CloudLinux team has no intent and do not use any personal or sensitive data and only suspicious/malicious information is analysed in order to provide security on the server.

Appreciate your understanding.

 

[Fede Marsell]

Imunify is widely acknowledged as a reputable and trusted security extension, consistently demonstrating its effectiveness and reliability across a broad user base.To further ensure data protection, I conducted an internal review in collaboration with the CloudLinux team.

That information is irrelevant.

We're talking about unauthorized installations and data transfers without any kind of consent. I believe PLESK is unaware of either the seriousness of the situation or its legal responsibility.

As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server.

It means that the personal/senstivie data is not transferred externally or stored on their analysis server.

The evidence indicates the opposite. And any user can verify this. In fact, many have already verified it.

An example of the transfer of files called config.php. None of them, I repeat: none of them contain malware. They are legitimate files.

INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/XXX/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/config.php' to the Malware Response Service with reason: extended-suspicious
INFO imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/*/httpdocs/XXX/config.php' to the Malware Response Service with reason: extended-suspicious

PLESK's response is clearly deficient. The severity of the situation would require decisive measures.

 

[Fede Marsell]

Who decides which post is the best? PLESK decides its own answer is the best? Is this a joke?

I find it incredible how you are handling this matter.

 

[whsplesk]

@Ekaterina Babenko, respectfully, this statement:

"As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server. It means that the personal/senstivie data is not transferred externally or stored on their analysis server."

is a complete brush off of the specific, serious concerns presented in this thread.

Saying "JUST TRUST US!" when Imunify claims that no "personal or sensitive data" is used or kept in any way is really beside the point and simply doesn't cut it, either ethically and I would have to assume legally as well.

 

[Diane]

Thank you Plesk users for alerting us to this issue. Like you, I take it very seriously. When I saw that Imunify had been added, I assumed it was either a trial version or an 'improvement' to the standard Plesk offerings; not an extension that had wrongly been installed: opt-out instead of opt-in.
I only found this thread and the related one, after online search. Surely Plesk could & should have contacted registered Plesk licence holders pro-actively, seeing this is a security & data protection issue.
I can't be mollified by the "assurance" that sensitive or personal data is not involved in Imunify data transfer, so nothing to worry about. Copying data &/or storing sensitive data at another location without express permission of the IP owner is clearly not-on. But so is 'finding' that data without the knowledge or consent of the owner:

As result of internal check conducted with CloudLinux team they confirmed that extension does not use personal or sensitive data for security analysis and it is removed instantly once found while still being on the server.

It means that the personal/senstivie data is not transferred externally or stored on their analysis server.

"....personal or sensitive data...is removed instantly once found"!
Also it should be up to the IP owner to decide what is ‘sensitive’ and not to be copied & transferred, not up to the writers of unsolicited 3rd party software. This is not only about clearly personal data; but about business-in-confidence data, copyrighted code, programs that are intended to remain securely hidden on our 'secure' servers to protect developers & end users.

 

[Fede Marsell]

This is not only about clearly personal data; but about business-in-confidence data, copyrighted code, programs that are intended to remain securely hidden on our 'secure' servers to protect developers & end users.

Exactly.

Thank you Plesk users for alerting us to this issue. Like you, I take it very seriously.

As you can see, very few people are concerned about the security or confidentiality of their data.

 

[trialotto]

We can also confirm that files are being uploaded by the free Imunify extension to external servers. This behavior cannot be avoided, as the option to disable it is simply missing. Only the more advanced Imunify360 offers the possibility to disable the automatic sending of suspicious and malicious files for analysis in the GUI. Depending on what was transmitted, this could now have caused data protection breaches on thousands of servers, requiring the owners to officially report them to the authorities and the affected users.

@Hangover2, @Fede Marsell and @AlL,


As mentioned in another post, quoted briefly as

"[ ... ]

The best way is to convince Plesk that Imunify is - factually - determining what is "suspicious".

This is also the main problem here : Imunify is that kind of extension that flags (almost) everything as "suspicious".

And there we have it : if Plesk does nothing and allows a malcoded extension to create false positives that result in uploads to external servers on the grounds of fraud protection or fraud prevention, then Plesk will become FULLY LIABLE, since false positives are not a legal ground to share data.

Each and every false positive found is PROOF that there is no legal ground for sharing data for the purpose of fraud protection or fraud prevention.

Each and every false positive found is PROOF that the Imunify extension is not allowed to upload data to external servers.

Each and every false positive found is PROOF that Plesk is responsible to remove the Imunify extension immediately.

A failure to remove the Imunify extension will make Plesk fully liable for each and every false positive.

[...]"


PLEASE build a case by providing the false positives.


That case can then be presented to Plesk.

Legal action will be a bit difficult, for many reasons that I will not discuss - I am not trying to bore people. Trying!


Kind regards......

 

[Fede Marsell]

I don't have time for sarcasm. This case is serious. It's an unauthorized installation and an unauthorized (and ilegal) data transfer.

If you need evidence, here it is: Issue - Important: Imunify auto installation and possible data leak

If the PLESK community ignores these types of practices, even when they can be easily verified (just check the logs), it means there's no real concern for data security or confidentiality.

Nobody cares. This is the sad truth.