Plesk css file has hack code sending emails. How do you see number of emails sent?

[BernieH]

We have encountered hackers placing a email sending program within the css folder of Plesk. Have you run into this problem before and if so do you have any idea of how they get the file placed within the Plesk files for the given URL? Also do you know of any way to see a report of the number of emails being sent from a specific URL or all URL's on our server? Thank you in advance for answering these questions. God Bless, Bernie

 

[prowler318]

I would consider the following:

Not neccesarily done in this order but you get the point.

1. Check your firewall (if you have any for ports that may be open and not needed)
2. Secure your directory structure by chmod things. Giving the correct permissions.
3. Running various rootkit scans and virus scans.
4. Changing passwords to all accounts especially the admin for psa and the server root account.
5. disable root access via ssh and use a separate account to login then sudo or su to things.
6. Make sure your box is to date on packages running and uninstall things you don't need. (For example if it's a plesk server you have no reason to run open office on it.) Do not confuse backporting with packages not being the latest version if you're using a distro of linux that backports.

Also check the /var/log folder and view any logs there for some insight.

God bless you too!