• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Probably my server is hacked and compromised?

ganastasiou

New Pleskian
Hello everyone,

I think my server is hacked. This started to happen 2 days ago when a lot of resources were used and killed my services. Using top, there were a lot of processes named '/usr/sbin/httpd' and 'perl'.
I use maldet, fail2ban, and plesk firewall. This server was rebuilt but seems that the problems are still there.

I think that some websites are the reason, because based on 'last' command. I am the only one who uses ssh.
But 'last' shows a lot of users using proftpd and two weird things happen, last command shows ip connected the 127.0.0.1 or global ip for some ftp users. I think this isn't normal.
Also mod_status from apache, shows in 'Client' column some websites are requested by the global ip of the server. This is probably not normal.

Any advice in what to do?

Thanks in advance

Edited: Forgot to mention server runs in Debian 7 x64 and uses Plesk Panel 11.5
 
Last edited:
Back
Top