• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

PHP script injections, can Plesk help me find the culprit

L

LoïcM

Basic Pleskian
Hi all, my server is compromised as every day I can see malicous PHP scripts created and burried in some websites. I'm able to find these from the access log, looking for POST requests on unusual PHP locations (example : POST /assets/images/actus/start.php HTTP/1.0). So I've created a fail2ban filter to ban IP accessing these URLs but this doesnt stop the root cause of infection.
Can Plesk help me understand how those scripts are created ?
Thank you
 
LoïcM said:
Can Plesk help me understand how those scripts are created ?
Click to expand...
Frankly, it is out of scope task even for Plesk Support Team.
Regarding forum - how you imagine doing a security audit of your server in the scope of forum discussion? Direct root ssh access on your server and serious investigation are required. It is really system administrator's task.
I can suggest you read carefully this documentation, for example - http://docs.plesk.com/en-US/12.5/advanced-administration-guide-linux/enhancing-security.68755/ or https://kb.plesk.com/en/114620
I hope it will help. Or maybe someone from community will help you with security audit of your server.
 
Thank you Igor, I'm parsing many log files since days without finding the hole, so I was just wondering if Plesk had some tools that can point me to some security flaws... I will check your links thanks.
 
This has nothing to do with Plesk but I've just found OSSEC and it's a great tool to know what is happening on a server by checking rootkits, monitoring logs, verify checksum of important files etc..
OSSEC can be find on github : http://ossec.github.io/
 
LoïcM said:
Hi all, my server is compromised as every day I can see malicous PHP scripts created and burried in some websites. I'm able to find these from the access log, looking for POST requests on unusual PHP locations (example : POST /assets/images/actus/start.php HTTP/1.0). So I've created a fail2ban filter to ban IP accessing these URLs but this doesnt stop the root cause of infection.
Can Plesk help me understand how those scripts are created ?
Thank you
Click to expand...

If you rules all security until from your server with panel plesk,
you can use the htaccess:
i assemble all if you want? http://alexonbalangue.me/offline/référencement-sécuriser-votre-site.html, you need to edited the files for adapte for your website.

hacker passed :
  • SSH, XSS, injecting SQL, etc...
next step:
  1. Fix security
  2. Re-build your website
  3. update your website
  4. etc...
 
You must log in or register to reply here.

Similar threads

jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
3K
Maarten
M
danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
3K
danami
danami
M
Input How my firewall helped in uncovering a malicious PHP-script
Replies
1
Views
3K
virtubox
virtubox
A
fail2ban blocking ip but still can reach my server
Replies
0
Views
950
Alex123456
A
T
Plesk + Gitlab problem
Replies
1
Views
5K
hardbrasil
hardbrasil
Back
Top