Issue Plesk default test Pages vulnerable (miva/test.html) ??

[daanse]

Hi,

i was always wondering, if this default test Pages where vulnerable:

# ls -l
total 36
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 apacheasp
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 cgi
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 coldfusion
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 fcgi
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 miva
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 perl
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 php
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 python
drwxr-xr-x 2 hostinguser psacln 4096 Jan 18 20:47 ssi

because if i look on the (old?) miva Folder:

# ls -l
total 132
-rw-r--r-- 1 hostinguser psacln   1962 Jun 22  2017 test.html
-rw-r--r-- 1 hostinguser psacln   6326 Jun 22  2017 test.mvc
-rw-r--r-- 1 hostinguser psacln 121236 Jan 18 20:47 xmlrpc-default_heading.php

and found firstly (see Date) recently modified File named: xmlrpc-default_heading.php which seems to be infected.



How is this possible?
it turned out that the Customer is being hacked anyways (not clear how exactly, but this seems a good entry point though)...

Any Ideas?
This Server was upgraded before .... We where using Plesk Onyx for a long time now. Before it was some older Server with some "miva" folder?!

 

[Brujo]

Well you have to go to the customer website and identify, analyze the logfiles and understand how it was hacked or the file created /uploaded.

see also:
What to do if Plesk server was hacked?
How to scan a website hosted in Plesk against malware
How to secure a Plesk server

 

[daanse]

Well you have to go to the customer website and identify....

So this is not the miva test page fault?
And my Question generally about those Test Pages, are they safe to leave them alone by default?
Or should we use "own default Templates" ?

 

[Brujo]

I do not belive that that miva or test pages is the fault. It is up to you if you like to provide test pages or not. I for example cleand it up and removed unneccessary test pages and on a newer Onyx installation the structure looks like

drwxr-xr-x 2 xyz psacln 4096 Jun 29 2018 fcgi
drwxr-xr-x 2 xyz psacln 4096 Jun 29 2018 perl
drwxr-xr-x 2 xyz psacln 4096 Jun 29 2018 php
drwxr-xr-x 2 xyz psacln 4096 Jun 29 2018 python
drwxr-xr-x 2 xyz psacln 4096 Jun 29 2018 ssi