• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Wordpress sites under Plesk 11.5 hacked

S

SalvadorS

Regular Pleskian
Hello,

Maybe this is not related to plesk but any idea would be great

I have a Debian 7 Plesk 11.5 box.

Today I noticed that a lot of wordpress sites were hacked at the same time. The problem is that the hackers obtain the wp-config.php files from all the sites of wordpress and store in a folder of one domain. Then the add a username in the database of wordpress and then "hacked" the site

The question is: How is possible to obtain multiple files from multiple domains in a server? It seems they updated a file called x.php in the wp-admin folder and with this php they can obtain all wp-config.php from the domains in the server.

Somebody know how or how can we stop this again in the future?

Thanks

PD: Also joomla sites were hacked. database credentials were stolen too (moved to a folder of one domain) and user was added to the database to access.
 
Last edited:
Hi abdi,

Thanks for the reply. I think the article is refering the old plesk passwords vulnerability, isn´t it? This is not the problem as this server is 11.5 plesk. Is seems there is a vulnerability with a wordpress plugin. The question is who the hacker can get all the wp-config.php from the server not just the file from the site with the exploited plugin...

Also joomla sites were hacked. database credentials were stolen too (moved to a folder of one domain) and user was added to the database to access.
 
Salvador,
Using a compromised plugin a hacker can access all httpdocs on your server.
Normally, mod_security can help mitigate such hacks...
 
I don´t underestand how a compromised plugin in a site can access to a hole /var/www/vhosts/*/httpdocs folders in all the server. This must be a plesk vulnerability...
 
Not mod_php of fast cgi. Cgi or perl is enabled in a lo of sites. It is possible to disable server wide in the future?

I think the problem was with a site with a joomla too old (1.6) but I don´t understand how it is possible to access to the whole /var/www/vhosts/*/httpdocs folder to obtain files. It must be a plesk security issue...
 
SalvadorS said:
...

I think the problem was with a site with a joomla too old (1.6) but I don´t understand how it is possible to access to the whole /var/www/vhosts/*/httpdocs folder to obtain files. It must be a plesk security issue...
Click to expand...

First of all "you think", that the cause was a Joomla site, but you say, that you don't understand how the whole domain-specific httpdocs folder can be compromised and due to the case, that you don't even do a little research with your logs, WHAT the definite causes are, the only reason YOU could think of, is a Plesk security issue?!?!?

Well, sorry to disappoint you, SalvadorS, but Plesk is absolutely not responsible for your issue, nor does it have security holes, which might cause such issues. Please stop to blame Plesk, if you can't prove to be the cause of YOUR issue. Please start investigating your logs and your content, before you continue to blame others and if you are not able to point to security holes, it's rather strange to assume them. o_O

http://lmgtfy.com/?q="Joomla"+"exploit"
 
Dear UFHH01,

Thanks for your reply.

I searched the logs, was the first thing we did. We found a site, with a folder created with all the wp-config.php files of all the wordpress sites of the server installed in the / folder of the site. Then they accessed to the databases, created an admin users and hacked all the wordpress sites. Sites with wordpress with 4.1.1 were affected too.

Do you think is possible to access from one domain to another domain to obtain a file? To 40+ different sites at the same time? (the files were with the configuration info were created in one minute) If you think so, maybe is not a plesk problem but I don´t understand how it is possible... Maybe you have a better answer
 
Sorry SalvadorS,

but your informations are too holey, so that your question can certainly be answered with a "yes, that IS possible". You don't even point out, which WP-plugins you use, nor do you tell us something about your server configurations ( and update procedures ) and you don't explain, HOW you installed wordpress and how you secured it. Investigations are not done with guessing and without ALL domain - logs, configuration - files, wp-configuration - files and other depending server - logs, we can only shoot out of the blue with a guess.... which doesn't help anyone... and especially not you. Such discussions are pretty uselsss, because there are tons of possible ways, how to "hack" a CMS and it's content, depending on it's configurations.

You will find a lot of helpfull people here in the forums, if you explicit ask for help to secure a CMS, but you won't get any answers, when you ask for possible ways, how to hack a site/domain/server.
 
Dear UFHH01,

As you probably know, yesterday was a nightmare trying to fix all the problems. Migrate domains to Plesk 12, update wordpress, plugins and themes, blocking joomla with old versions...

We will try to investigate the logs deeper, but the only thing I know is somebody put in a site folder with ww-data permisions +40 files with the configuration of 40 different wordpress of the server in two minutes. Then zipped it, download it and then the rest. Is hard for me to understood how it is possible to do this. I can understand it in one domain but in 40 different at the same time... And the problem is I don´t know how the did this. I can only upgrade, fix, block and wait if I don´t have problems like this again.

Finally I don´t want to know who can hack a server, I want to know how to protect it.

Regards
 
Hello Takeda,

Sorry to hear that. You must update all the wordpress and all the plugins, check for suspicious files, check also if you have old joomla installations and ban them.

It is possible to obtain root privileges of one server in certain circumstances for a hacker that upload files to the server...
 
You must log in or register to reply here.

Similar threads

brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
527
Maarten
M
T
Issue Replace a folder and all contents rather than replace changed files?
Replies
4
Views
762
thinkjarvis
T
E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
3K
MartinT
M
carlsson
Resolved Panic! Site crashed and restoring backup fails
Replies
18
Views
1K
carlsson
carlsson
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
1
Views
242
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top