Issue Malicious .ico files and php files are appearing in different subcriptions

[WebHostingAce]

Hi Everyone.

Plesk Panel - Version 17.8.11 Update #13
OS - CentOS 6.10 (Updated Last Night from 6.9)

There are malicious .ico files and .php files are appearing in different subscriptions. Some of the subscriptions are using Magento CMS and others are using Wordpress CMS. So I believe this hack is not CMS related.

Server always have been up to date.

None of the subscriptions on this server has no SSH at all. Perl and Python are not provided as well.

Using Plesk Firewall with Defaults and WAF with Atomic Basic ModSecurity/Thorough

Any ideas or suggestions will me much appreciated.

 

[Bitpalast]

If the main code of the hack is located in an .ico file somewhere down the /wp-includes path, it is most likely this issue:
Low server performance: WP Toolkit processes are stuck
that comes along with it and the entry point is a malicious theme or plugin of a Wordpress website.

 

[WebHostingAce]

Hi Peter,

Thank you very much for your reply.

Problem is these subscriptions are not only Wordpress.

Some of them are Magento 1x and they have been patched and up to date.

Do you think the whole server is compromised?

I ran 'plesk repair fs' found some issues with hacked subscriptions,

There are incorrect permissions on some items in the root directory
of the domain 'domain.tld' ............................... [ERROR]
- Incorrect permissions on /var/www/vhosts/domain.tld/.:
expected is one of 0710, actual is 0755

Could this have been the issue?

Thank you.

 

[Bitpalast]

Do you think the whole server is compromised?

No, not the whole server, but all domains, files, directories that share the same webspace subscription are likely affected.

There are incorrect permissions on some items in the root directory
of the domain 'domain.tld' ............................... [ERROR]
- Incorrect permissions on /var/www/vhosts/domain.tld/.:
expected is one of 0710, actual is 0755
Could this have been the issue?

No, not likely, it can be a symptom of the attack though, but normally permissions of 755 are safe enough. Only if you have additional SSH user accounts who are not chrooted you should worry about group and anonymous read permissions on some files. If you are the only admin on the system, it does not really matter what permissions are set. For an attacking script however, 0755 allows read/write while 0710 does not.

 

[WebHostingAce]

Hi Peter,

Thank you very much.

No, These are separate subscriptions. Owned by different customers.

There is no SSH access for any of the system users But Magento subscriptions run "Scheduled Tasks".

I just cant figure out how could this be possible.