Hey, I know that Plesk 8.6 is a really old version of the plesk panel. We already upgraded to version 11 on our new server, but had the old version running until the complete migration was finished. After the complete migration, we left the server running until now. Our provider told us that there are outgoing ddos attacks from our server. I investigated the problem and for now I found the following files:Code:/usr/local/psa/tmp/app-data.d/ /usr/local/psa/tmp/app-data.d/.wapi/ /usr/local/psa/tmp/app-data.d/.wapi/logs/ /usr/local/psa/tmp/app-data.d/.wapi/-sh /usr/local/psa/tmp/app-data.d/.wapi/start /usr/local/psa/tmp/app-data.d/.wapi/vhosts /usr/local/psa/tmp/app-data.d/.wapi/zmeu.help /usr/local/psa/tmp/app-data.d/multi.tgz /usr/local/psa/tmp/app-data.d/multi.tgz.1 /tmp/multi.tgz /tmp/.wapi/ /tmp/.wapi/logs/ /tmp/.wapi/logs/zmeu.log /tmp/.wapi/r /tmp/.wapi/r/away /tmp/.wapi/r/insult /tmp/.wapi/r/kicks /tmp/.wapi/r/nicks /tmp/.wapi/r/pickup /tmp/.wapi/r/say /tmp/.wapi/r/signoff /tmp/.wapi/r/tar /tmp/.wapi/r/tsay /tmp/.wapi/r/versions /tmp/.wapi/.user /tmp/.wapi/1bil /tmp/.wapi/2bil /tmp/.wapi/85.214.xxx.xxx.user (our ip) /tmp/.wapi/85.214.xxx.xxx.user (second ip) /tmp/.wapi/autorun /tmp/.wapi/core.20163 /tmp/.wapi/core.20165 /tmp/.wapi/harlam.seen /tmp/.wapi/inst /tmp/.wapi/joel.seen /tmp/.wapi/LinkEvents /tmp/.wapi/pico /tmp/.wapi/run /tmp/.wapi/-sh /tmp/.wapi/start /tmp/.wapi/update /tmp/.wapi/vhosts /tmp/.wapi/zakeus.seen /tmp/.wapi/zmeu.cron /tmp/.wapi/zmeu.dir /tmp/.wapi/zmeu.help /tmp/.wapi/zmeu.ini /tmp/.wapi/zmeu.lvl /tmp/.wapi/zmeu.pid It seems that the files came from the plesk temp folder where an archive "multi.tgz" was installed copied to the /tmp folder. The multi.tgz archive contains the .wapi folder. For those interested in the files, I uploaded the multi.tgz archive to my dropbox: https://www.dropbox.com/s/le5ftj8wgsygc81/multi.tgz And also the /tmp/.wapi folder which contains more files than the "original" multi.tgz: https://www.dropbox.com/s/rc8pnw4c8i0smgu/.wapi.rar The malware_removal_script_linux_8.php (http://kb.parallels.com/en/115025) does not remove this malware and the vulnerability checker (http://kb.parallels.com/en/113424) says "The patch has been successfully applied" Maybe the plesk team can investigate this. I did not find anything about this exploit.