• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Plesk has been hacked several days ago

User2546

New Pleskian
Hello

My hosting owner changed several days ago platform to Plesk and after maybe 12 hours all server has been hacked, including my site. Hackers in some mysterious way added file named log.php to httpdocs folder, whose content allowed to execute any code on the server. After this there was many POST requests to log.php file from various proxies and appear many complex php files in httpdocs folder. If someone have any information about what could happen then and how it was possible?
 
From what you describe, your website was hacked, injected not the PLESK server. If they have added in your httpdocs folder a file, this means your website is vulnerable to injection. I am almost sure you have an OpenSource software like Wordpress, Joomla, etc.
Question is now, they have executed what? I don't think they have access to your server as root user, probably only as a webuser and yes, they started to send out mails, bnc whatever the script do.
If you want to fix this, you need to see how they came it into your website, install mod_security, fail2ban etc and also to fix your vulnerable website.
 
I certainly have not Wordpress, Joomla etc. installed and I never had. I think I have not any vulnerable files on my hosting too. My hosting owner wrote me that many domains on his server was hacked in exactly the same manner at the same time.
 
Then you should check the access_log for each domain and try to check for POST, somehow they uploaded the files. You need to find the clue to solve the problem.
 
Back
Top