• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Resolved Plesk, what’s going on here? - Imunify auto installation

Sebahat.hadzhi said:
Could you please elaborate on that question. I am not entirely sure I understand it. Sorry.
Click to expand...

Once Imunify is installed —even without explicit permission— it begins scanning the server and uploading files it deems suspicious to external servers.

The extent of this behavior is unclear: it's not known whether Imunify uploads entire files or just fragments.

Regardless, this constitutes a serious security breach.

In the console.log, the data transfer is clearly visible:

imav.malwarelib.utils.malware_response: Uploaded file '/var/www/vhosts/domain.com/xxxx.php' to the Malware Response Service with reason: extended-

This is a critical issue — a data leak caused by the unauthorized installation of a third-party extension.
 
@Fede Marsell , I consulted with our team about your case. The Malware Response Service is not part of the free Imunify extension, which suggests that you do have a Imunify360 license on the server in question. Therefore, the automatic installation (replacement) of the extension is expected in your case.

The functionality itself is intended to find suspicious files and send them for analysis to CloudLinux servers. Please note that, files containing personal or sensitive information are removed from the pipeline immediately on detection. Cloud scanning can be disabled by running:

Code: 
imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": false}}'

but the detection rate will be worse - some scanning methods require a lot of RAM or heavy computing to unpack obfuscated code or separate edge cases, and thus are not practical to run on individual servers.

If you have any additional questions or concerns, please directly get in touch with Plesk or CloudLinux support, as with limited server information we won't be able to precisely address the case.
 
Sebahat.hadzhi said:
@Fede Marsell , I consulted with our team about your case. The Malware Response Service is not part of the free Imunify extension, which suggests that you do have a Imunify360 license on the server in question. Therefore, the automatic installation (replacement) of the extension is expected in your case.

The functionality itself is intended to find suspicious files and send them for analysis to CloudLinux servers. Please note that, files containing personal or sensitive information are removed from the pipeline immediately on detection. Cloud scanning can be disabled by running:

Code: 
imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": false}}'

but the detection rate will be worse - some scanning methods require a lot of RAM or heavy computing to unpack obfuscated code or separate edge cases, and thus are not practical to run on individual servers.

If you have any additional questions or concerns, please directly get in touch with Plesk or CloudLinux support, as with limited server information we won't be able to precisely address the case.
Click to expand...

I've never installed Imunify and I've never purchased a license for this extension. Never.

I manage more than 50 servers with PLESK, and on most of them, Imunify was automatically installed without consent and has sent sensitive information to external servers.

Any user can review its logs. They can see how their files have been transferred to Imunify's external servers.

They just need to check the logs (grep Uploaded /var/log/imunify360/console.log).

I repeat, this is extremely serious.
 
According to what I have been told this is a paid functionality and should not be present unless with Imunify license. Nevertheless, as previously mentioned, files containing personal or sensitive information are removed from the pipeline immediately on detection. This has been consulted with CloudLinux and confirmed by their team.
 
The "Malware Scanner" is indeed enabled and usable in the free edition.
In fact it's the only component that is available in the free edition and it gets installed on a Plesk server by default.

While the "Malware Scanner" is somewhat limited in the free edition (like only one scan per month), it will of course still use the function to upload suspicious code to Cloudlinux for further analysis.

I can see that some people may have a problem with that, despite the fact that this behavior is common and widely used in the AV industry.
 
While the Malware scanner itself is available, according to our discussion with CloudLinux, the file upload process is part of a paid functionality that should not be available in the free edition. This statement is based on the log provided earlier in the thread. Unfortunately, we can't confirm for sure what's triggering that behavior without server access. Nevertheless, in terms of security breach concerning the files uploaded to CloudLinux - the sensitive data is excluded.
 
ChristophRo said:
I can see that some people may have a problem with that, despite the fact that this behavior is common and widely used in the AV industry.
Click to expand...

The problem is that both the installation of the extension and the data transfer happened without any prior authorization or consent.

This is a serious breach.
 
Sebahat.hadzhi said:
While the Malware scanner itself is available, according to our discussion with CloudLinux, the file upload process is part of a paid functionality that should not be available in the free edition. This statement is based on the log provided earlier in the thread. Unfortunately, we can't confirm for sure what's triggering that behavior without server access. Nevertheless, in terms of security breach concerning the files uploaded to CloudLinux - the sensitive data is excluded.
Click to expand...
@Sebahat.hadzhi

I think that @Fede Marsell is addressing an issue that should indeed be called a "data leak" in a legal sense.

There is no legal ground for sharing data / uploading data by an extension, if that extension has not been installed explicitly and (legal) conditions have not been agreed with explicitly.

The degree in which the "data leak" occurs and the severity of the "data leak" depends on the information shared / uploaded.

Plesk is - essentially - responsible for the current "data leak" and, if any "data leak" exists in a legal sense, Plesk can be fined in most European countries.

Stated differently, @Fede Marsell addresses an issue that is in the interest of Plesk.

In fact, Plesk should really "control" the data that can be shared / uploaded by limiting that data to (a) a very limited set of data and (b) a limited set of data that is not harmful in any way (and that can never do harm in any sense).

For instance, Plesk should not "allow" Imunify to retrieve WP config files (since they contain access data that you do not want to share) - however, general WP files can be easily shared (since that can never do harm).

As an another example, Plesk should never "allow" Imunify to scan files or config files that are inherent to the server (since Imunify does not actually do anything with them, Imunify is not that advanced).

In my humble opinion, there is a black box called Imunify with too much unknowns and uncertainty - it is not a good thing that it exists.

Plesk should really consider alternatives to Imunify.

Kind regards......
 
trialotto said:
There is no legal ground for sharing data / uploading data by an extension, if that extension has not been installed explicitly and (legal) conditions have not been agreed with explicitly.
Click to expand...

trialotto said:
Plesk is - essentially - responsible for the current "data leak" and, if any "data leak" exists in a legal sense, Plesk can be fined in most European countries.
Click to expand...

Indeed.

PLESK's official silence on this issue makes the problem even more serious.
 
@Fede Marsell

The statement

Fede Marsell said:
PLESK's official silence on this issue makes the problem even more serious.
Click to expand...

is not really accurate.

I can safely assume that Plesk is looking into the matter, before making any (bold or implicit/explicit) statements.

If that assumption can be proven to be incorrect, then there is a case of "negligence".

The legal aspects of this matter are essentially a Gordian Knot - it is hard to say who is responsible or even liable for what, since any responsibility / liability really depends on the factual reality.


Nevertheless, I adhere to your point of view that Plesk should investigate this matter fast and thoroughly.

It simply cannot be the case that an extension can - potentially or factually - be the root cause of any problem related to "data leaks".

In addition, it cannot be the case that an extension like Imunify is introduced and making a mess of Plesk or the proper functioning of Plesk.


In summary, it has been excellent that you pointed out an important topic ......... but we all have to have some patience and confidence.

However, it is always good if you (and others) keep posting, since those posts are essentially reminders to Plesk.


Kind regards....
 
You must log in or register to reply here.

Similar threads

F
Issue Important: Imunify auto installation and possible data leak
Replies
11
Views
1K
Fede Marsell
F
L
Question Why is there still no better built-in way for Remote Storage?
Replies
2
Views
702
ldoerrdotcom
L
C
Question Strategic questions
Replies
9
Views
4K
mow
M
Daerik
Resolved Plesk Migrator Failing to Sync Database Records After Server Upgrade
Replies
8
Views
2K
Maarten
M
H
Resolved Unable to Disable Node.js Application in Plesk – App Remains Accessible
Replies
1
Views
2K
HawkSky
H
Back
Top