• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Issue Malicious .ico files and php files are appearing in different subcriptions

WebHostingAce

WebHostingAce

Silver Pleskian
Hi Everyone.

Plesk Panel - Version 17.8.11 Update #13
OS - CentOS 6.10 (Updated Last Night from 6.9)

There are malicious .ico files and .php files are appearing in different subscriptions. Some of the subscriptions are using Magento CMS and others are using Wordpress CMS. So I believe this hack is not CMS related.

Server always have been up to date.

None of the subscriptions on this server has no SSH at all. Perl and Python are not provided as well.

Using Plesk Firewall with Defaults and WAF with Atomic Basic ModSecurity/Thorough

Any ideas or suggestions will me much appreciated.
 
Hi Peter,

Thank you very much for your reply.

Problem is these subscriptions are not only Wordpress.

Some of them are Magento 1x and they have been patched and up to date.

Do you think the whole server is compromised?

I ran 'plesk repair fs' found some issues with hacked subscriptions,

There are incorrect permissions on some items in the root directory
of the domain 'domain.tld' ............................... [ERROR]
- Incorrect permissions on /var/www/vhosts/domain.tld/.:
expected is one of 0710, actual is 0755

Could this have been the issue?

Thank you.
 
AusWeb said:
Do you think the whole server is compromised?
Click to expand...
No, not the whole server, but all domains, files, directories that share the same webspace subscription are likely affected.

AusWeb said:
There are incorrect permissions on some items in the root directory
of the domain 'domain.tld' ............................... [ERROR]
- Incorrect permissions on /var/www/vhosts/domain.tld/.:
expected is one of 0710, actual is 0755
Could this have been the issue?
Click to expand...
No, not likely, it can be a symptom of the attack though, but normally permissions of 755 are safe enough. Only if you have additional SSH user accounts who are not chrooted you should worry about group and anonymous read permissions on some files. If you are the only admin on the system, it does not really matter what permissions are set. For an attacking script however, 0755 allows read/write while 0710 does not.
 
Hi Peter,

Thank you very much.

No, These are separate subscriptions. Owned by different customers.

There is no SSH access for any of the system users But Magento subscriptions run "Scheduled Tasks".

I just cant figure out how could this be possible.
 
You must log in or register to reply here.

Similar threads

G
Question file sharing among different subscriptions
Replies
1
Views
952
m3lezZ
m3lezZ
P
My plesk server was hacked by Anoncoders, twice.
Replies
7
Views
4K
trialotto
T
L
Migrate to Plesk on AWS from Plesk, cPanel or DirectAdmin
Replies
0
Views
4K
Lukas Hertig
L
E
Problem with ModeSecurity and extremely slow website :(
Replies
0
Views
852
Enrique Garcia
E
Back
Top