• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Virus

K

karam

Basic Pleskian
Hello there,
Anyone has encountered this before ?
It made every website in the infected subscription down.

The thing is that we don't know how got it.
 

Attachments

  • Strange.PNG
    Strange.PNG
    146.8 KB · Views: 24
We traced it, it seems 1 website had a week password, and it was attacked, through that attack it infected all the websites in that subscription.

One more new thing to learn.
 
The website has been hacked. If this is a cms like Wordpress or Joomla probably the core or some plugin are not updated to the latest version.
You have to find the source of the problem, patch it and then remove all suspicious files.
Also always use strong password for mail, ftp and plesk access.
 
D4NY said:
The website has been hacked. If this is a cms like Wordpress or Joomla probably the core or some plugin are not updated to the latest version.
You have to find the source of the problem, patch it and then remove all suspicious files.
Also always use strong password for mail, ftp and plesk access.
Click to expand...

Thank you, yes I did so, it seems that the problem is caused by week password, actually it was a test website and had a pass from 1 to 6.
But I didn't expect it would effect other websites in the same subscription, also it had run a process in plesk it self, which was like wow, everything is removed regarding it. But would it's extents reach the server it self or that's kinda impossible ?
 
Here's a screenshot from what I grabbed from it's main folder.
 

Attachments

  • VirFiles.PNG
    VirFiles.PNG
    35.8 KB · Views: 9
Other websites and Plesk should not be damaged. Something similar happened to one of my websites but no other functions was involved.
 
karam said:
Thank you, yes I did so, it seems that the problem is caused by week password, actually it was a test website and had a pass from 1 to 6.
But I didn't expect it would effect other websites in the same subscription, also it had run a process in plesk it self, which was like wow, everything is removed regarding it. But would it's extents reach the server it self or that's kinda impossible ?
Click to expand...

If the websites are under one subscription, All of them have the same system user. Which means whoever gain access to one website can go through all the websites under the same subscription.
 
AusWeb said:
If the websites are under one subscription, All of them have the same system user. Which means whoever gain access to one website can go through all the websites under the same subscription.
Click to expand...

Thank you for the information.
 
You must log in or register to reply here.

Similar threads

P
Resolved Issue with Subscription Backups in Plesk CLI Using FTP Storage
Replies
5
Views
363
paolotrombini25
P
Talistech
Resolved Backups failing since a couple days: Unable to run the backup agent
Replies
1
Views
3K
Talistech
Talistech
burnley
Question Creating default permissions for user roles across plesk server.
Replies
1
Views
246
Kaspar@Plesk
Kaspar@Plesk
T
Issue ERROR: Dr.Web Updater: failed to download files ! return code 105
Replies
3
Views
701
Kaspar@Plesk
Kaspar@Plesk
I
Issue xmri Infected
Replies
2
Views
519
Inma
I
Back
Top