• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

PHP script injections, can Plesk help me find the culprit

L

LoïcM

Basic Pleskian
Hi all, my server is compromised as every day I can see malicous PHP scripts created and burried in some websites. I'm able to find these from the access log, looking for POST requests on unusual PHP locations (example : POST /assets/images/actus/start.php HTTP/1.0). So I've created a fail2ban filter to ban IP accessing these URLs but this doesnt stop the root cause of infection.
Can Plesk help me understand how those scripts are created ?
Thank you
 
LoïcM said:
Can Plesk help me understand how those scripts are created ?
Click to expand...
Frankly, it is out of scope task even for Plesk Support Team.
Regarding forum - how you imagine doing a security audit of your server in the scope of forum discussion? Direct root ssh access on your server and serious investigation are required. It is really system administrator's task.
I can suggest you read carefully this documentation, for example - http://docs.plesk.com/en-US/12.5/advanced-administration-guide-linux/enhancing-security.68755/ or https://kb.plesk.com/en/114620
I hope it will help. Or maybe someone from community will help you with security audit of your server.
 
Thank you Igor, I'm parsing many log files since days without finding the hole, so I was just wondering if Plesk had some tools that can point me to some security flaws... I will check your links thanks.
 
This has nothing to do with Plesk but I've just found OSSEC and it's a great tool to know what is happening on a server by checking rootkits, monitoring logs, verify checksum of important files etc..
OSSEC can be find on github : http://ossec.github.io/
 
LoïcM said:
Hi all, my server is compromised as every day I can see malicous PHP scripts created and burried in some websites. I'm able to find these from the access log, looking for POST requests on unusual PHP locations (example : POST /assets/images/actus/start.php HTTP/1.0). So I've created a fail2ban filter to ban IP accessing these URLs but this doesnt stop the root cause of infection.
Can Plesk help me understand how those scripts are created ?
Thank you
Click to expand...

If you rules all security until from your server with panel plesk,
you can use the htaccess:
i assemble all if you want? http://alexonbalangue.me/offline/référencement-sécuriser-votre-site.html, you need to edited the files for adapte for your website.

hacker passed :
  • SSH, XSS, injecting SQL, etc...
next step:
  1. Fix security
  2. Re-build your website
  3. update your website
  4. etc...
 
You must log in or register to reply here.

Similar threads

jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
3K
Maarten.
M
danami
Input Sentinel Anti-malware Extension for Plesk
Replies
6
Views
3K
danami
danami
M
Input How my firewall helped in uncovering a malicious PHP-script
Replies
1
Views
2K
virtubox
virtubox
A
fail2ban blocking ip but still can reach my server
Replies
0
Views
855
Alex123456
A
T
Plesk + Gitlab problem
Replies
1
Views
4K
hardbrasil
hardbrasil
Back
Top