• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Plesk has been hacked several days ago

User2546

New Pleskian
Hello

My hosting owner changed several days ago platform to Plesk and after maybe 12 hours all server has been hacked, including my site. Hackers in some mysterious way added file named log.php to httpdocs folder, whose content allowed to execute any code on the server. After this there was many POST requests to log.php file from various proxies and appear many complex php files in httpdocs folder. If someone have any information about what could happen then and how it was possible?
 
From what you describe, your website was hacked, injected not the PLESK server. If they have added in your httpdocs folder a file, this means your website is vulnerable to injection. I am almost sure you have an OpenSource software like Wordpress, Joomla, etc.
Question is now, they have executed what? I don't think they have access to your server as root user, probably only as a webuser and yes, they started to send out mails, bnc whatever the script do.
If you want to fix this, you need to see how they came it into your website, install mod_security, fail2ban etc and also to fix your vulnerable website.
 
I certainly have not Wordpress, Joomla etc. installed and I never had. I think I have not any vulnerable files on my hosting too. My hosting owner wrote me that many domains on his server was hacked in exactly the same manner at the same time.
 
Then you should check the access_log for each domain and try to check for POST, somehow they uploaded the files. You need to find the clue to solve the problem.
 
Back
Top