• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Plesk has been hacked several days ago

U

User2546

New Pleskian
Hello

My hosting owner changed several days ago platform to Plesk and after maybe 12 hours all server has been hacked, including my site. Hackers in some mysterious way added file named log.php to httpdocs folder, whose content allowed to execute any code on the server. After this there was many POST requests to log.php file from various proxies and appear many complex php files in httpdocs folder. If someone have any information about what could happen then and how it was possible?
 
From what you describe, your website was hacked, injected not the PLESK server. If they have added in your httpdocs folder a file, this means your website is vulnerable to injection. I am almost sure you have an OpenSource software like Wordpress, Joomla, etc.
Question is now, they have executed what? I don't think they have access to your server as root user, probably only as a webuser and yes, they started to send out mails, bnc whatever the script do.
If you want to fix this, you need to see how they came it into your website, install mod_security, fail2ban etc and also to fix your vulnerable website.
 
I certainly have not Wordpress, Joomla etc. installed and I never had. I think I have not any vulnerable files on my hosting too. My hosting owner wrote me that many domains on his server was hacked in exactly the same manner at the same time.
 
Then you should check the access_log for each domain and try to check for POST, somehow they uploaded the files. You need to find the clue to solve the problem.
 
You must log in or register to reply here.

Similar threads

I
Issue Problems with Open-Basedir and .htaccess (Plesk Obsidian 18.0.68 Web Pro Edition on Debian 12.9)
Replies
3
Views
414
scsa20
scsa20
M
Resolved files in httpdocs not found, only plesk default page
Replies
3
Views
718
Raul A.
R
A
Question Plesk Admin - Bad Bot protection
Replies
4
Views
430
Alban Staehli
A
S
Question Preview URL wrong in domain view
Replies
5
Views
1K
Stettin
S
H
Question SSH user can see other subdomain directories even with chrooted shell?
Replies
3
Views
517
Raul A.
R
Back
Top