ganastasiou
New Pleskian
Hello everyone,
I think my server is hacked. This started to happen 2 days ago when a lot of resources were used and killed my services. Using top, there were a lot of processes named '/usr/sbin/httpd' and 'perl'.
I use maldet, fail2ban, and plesk firewall. This server was rebuilt but seems that the problems are still there.
I think that some websites are the reason, because based on 'last' command. I am the only one who uses ssh.
But 'last' shows a lot of users using proftpd and two weird things happen, last command shows ip connected the 127.0.0.1 or global ip for some ftp users. I think this isn't normal.
Also mod_status from apache, shows in 'Client' column some websites are requested by the global ip of the server. This is probably not normal.
Any advice in what to do?
Thanks in advance
Edited: Forgot to mention server runs in Debian 7 x64 and uses Plesk Panel 11.5
I think my server is hacked. This started to happen 2 days ago when a lot of resources were used and killed my services. Using top, there were a lot of processes named '/usr/sbin/httpd' and 'perl'.
I use maldet, fail2ban, and plesk firewall. This server was rebuilt but seems that the problems are still there.
I think that some websites are the reason, because based on 'last' command. I am the only one who uses ssh.
But 'last' shows a lot of users using proftpd and two weird things happen, last command shows ip connected the 127.0.0.1 or global ip for some ftp users. I think this isn't normal.
Also mod_status from apache, shows in 'Client' column some websites are requested by the global ip of the server. This is probably not normal.
Any advice in what to do?
Thanks in advance
Edited: Forgot to mention server runs in Debian 7 x64 and uses Plesk Panel 11.5
Last edited: