Hacked and replaced by linkbucks.com

[HansUnland]

Hello All.

My server runs CentOS 6 with Parallels Plesk Panel 11.0.9. Yesterday it was hacked. All index.* and some main.* files were replaced by a page referring to linkbucks.com. Not only the files of my clients, for which I have backups. But also the plesk installation, mail-server and probably some others are defective. Is this caused by a known vulnerability?

Kind regards
Hans

 

[IgorG]

First of all I suggest you read carefully this article - Parallels Plesk Panel security best practices
Also note that server may be hacked by not only Plesk possible vulnerability but OS, kernel, any other package vulnerability too.

 

[HansUnland]

Hello Igor,

Thanks for your answer. I did not write that the vulnerability came from Plesk. I simply asked whether there is something known.

Kind regards
Hans

 

[InderS]

Hello,

I will suggest you applies some security to your server so that you should not face any issues with the server security. Please check the following and update it on your server,

1) Your server is hacked so please change all account password
2) Check your server kernel and update it to latest version
3) Install mod security on your server with the apache
4) Install Linux Malware Detect (LMD) on your server and setup the cron for weekly scanning : http://www.rfxn.com/projects/linux-malware-detect/
5) Install firewall and open only require port : Plesk port list : http://kb.parallels.com/en/391
6) secure SSHD service
7) Disable the some risky php function in your server php.ini file

 

[HansUnland]

Hello,

In between I recreated my server completely. Don't know exactly which way the intruder took. But I guess it was a plain FTP account. Ok, I know, I know, that's stupid. But a friend wanted to send me some big files and was not familiar with SFTP. Will never do this mistake. Meanwhile my server had never been attacked.

Many thanks for your answers.

Kind regards
Hans