• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue PLEASE_READ_ME_XMG database created and all other database become corrupt and need to restore from backup

Giorgos Kontopoulos

Giorgos Kontopoulos

Basic Pleskian
I am running a plesk server with some quite old sites that are still running php 5.3 - 5.6 (don't judge)
Since yesterday all the databases were corrupted and became 1.6K in size (erased probably)
and I had to restore them from backup

It has happened 4 times already since yesterday and it seems it is only affecting on the database level (but I can't be sure)
I know the correct way would be to wipe everything clean and recreate all websites but at the moment I don't have the time and since they are running older php version I am not sure there is point in doing it

I have already installed bitninja and mod_security but they did not seem to do anything to stop the last 2 attacks
I have disabled access to phpmyadmin but perhaps an older site is attacked through the php application and they get access to the rest of the databases

the remnant database PLEASE_READ_ME_XMG asks to visit an .onion website in order not to leak the data of the databases but they don't have sensitive information so I will not bother just want to find out which website is at fault if possible (there is about 30-40 very low traffic websites on this server)

Is there a way find out which one is at fault ?

Please advise what you would do ?
 
Last edited:
Sure enough I have spend time dropping old applications that owners had not intention of keeping for longer and bringing up to date some otherones that security patches existed but I had neglected for some time since the apps were mostly unmaintained for some time.

After this the attacker has stopped which probably means that he has used old buggy php problems to connect to the app's database and be able to access the rest of the databases in the sytem.

The attacker has not appeared for more than 3 days already but still keeping an eye on it. But if anyone has any way of isolating mysql databases from one another in a plesk environment or otherwise it would be very helpful to keep the problems of one app to itself ...
 
The hacker has hit again
it seems it is an old system that he can compromise and from that one alone he can wipe out all the mysql databases

- is there any way to prevent one account in plesk to affect databases in the other accounts ?
- what so I do to see which account is the one that the hacker can compromise ?

Any hellp will be appreciated
thanks
 
While disabling symlinks and some other tweaks can help, given the gravity and priority of your issue, this really is better suited for Plesk support to look into.
 
You must log in or register to reply here.

Similar threads

A
Question Transfer Subscriptions Data on a corrupted server
Replies
1
Views
884
DieterWerner
DieterWerner
M
Backup - corrupted tables (and other problems)
Replies
8
Views
2K
ManuelGDot
M
M
  • Poll
Upgrading Apache, PHP and MySQL on CentOS with Plesk (level: Intermediate)
Replies
5
Views
18K
Mrinal KantiM
M
W
rebuilding mysql database
Replies
0
Views
2K
webgurl
W
Back
Top