• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Redirect Hack

J

James Roberts

Guest
Hi

It would appear that someone has hacked into my system and now when accessing domains they redirect to a spam site which tries to install trojan viruses. It doesnt happen every time just most!

How can I find where this has been installed so that I can get rid of it?

Thanks
Jim
 
On one of the sites affected, I have now completely deleted the account and re-created it and still have the same problem.

I have checked all the DNS settings and can't see anything there... not sure where else to check!

I am on the latest update for Plesk.
 
IMO - easiest way to make all domains redirect to single place is to create vhost for all IPs in apache main config file.

Check httpd.conf or apache2.conf on debian.

Also, just in case you may wish to check individual config files for domain:
grep -i <something_suspicious> /var/www/vhosts/*/conf/*

It is strange that it does not happen all the time...

Anyone have any other ideas?
 
Please be more descriptive in your discussion when asking a question of this nature. I realize this is the Linux based forum but:

1. Which operating system are you using: CentOS / Fedora / Ubuntu / etc

2. Are you using Virtuozzo 3.0 / 4.0 ?

3. Where did you find the hack / redirect

4. Did you look in the /root/home directory for any newly created users?

5. Do you have any processes running that are new to you or the system

6. Look for a file called .htaccess - see below

http://www.velvetblues.com/web-development-blog/301-redirects-with-htaccess-files-on-linux-apache/
 
64bithost

Sorry your talking to someone who doesn't have a great experience in this area!

1. CentOS

2. Not using it.

3. When accessing the domain, every so often it will just re-direct you to a spam page.

4. No

5. Unknown, they all look ok, but i could be wrong.

6. I will check this, but wouldn't this happen everytime?
 
Hack attacks

James Roberts said:
64bithost

Sorry your talking to someone who doesn't have a great experience in this area!

1. CentOS

2. Not using it.

3. When accessing the domain, every so often it will just re-direct you to a spam page.

4. No

5. Unknown, they all look ok, but i could be wrong.

6. I will check this, but wouldn't this happen everytime?
Click to expand...

1. Makes life easier - CentOS is a direct direvitive of Red Hat.
2. For better stability in the future you should consider using Virtuozzo 4.0 or greater
3. As stated by Maa check the director sturcture for your domain.conf file
4. You need to check to see if there are any other users on your server than just you. If there are then you need to do an extensive search of your server.
4a. go to /root/home type # ls -a this shows all the files listed in the directory.
5. Look for a javascript or cgi-bin file that is new that creates random redirects

http://www.artsackett.com/freebies/redirect/redirect.shtml

http://www.tizag.com/javascriptT/javascriptredirect.php

6. Yes you are correct.

7. Lastly look under I.P. redirects

http://amifamousnow.com/how-to/howto-htaccess-ip-redirect-to-any-site/
 
3. checked the .conf files and saw nothing to suggest there was a redirect
4. the only user shown is ftp which i believe is meant to be there.
5. cgi-bin was empty
6. no .htaccess files found.
 
You must log in or register to reply here.

Similar threads

llucas
Resolved Retrieving WordPress admin credentials, please wait...
Replies
2
Views
298
llucas
llucas
R
Issue Let's Encrypt Error 400 on every domain
Replies
1
Views
783
Sebahat.hadzhi
Sebahat.hadzhi
K
Resolved How to avoid redirection loop in plesk nginx config?
Replies
4
Views
1K
Raul A.
R
E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
4K
MartinT
M
@
Issue Temporary Domain .plesk.page Not accessible
Replies
1
Views
462
Martin Dias
Martin Dias
Back
Top