• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Lots of apache /usr/sbin/apache2 -k start processes

B

bob231

Basic Pleskian
We got notices by our vps provider that our vps have maybe problems:

They point to this report: http://firewall.sigsiu.net/index.php?ip=85.17.149.15&force=1

On the server we notice there is a large amount of perl processes.
When we check the command by one of those processes in /proc is said:
/usr/sbin/apache2 -k start

We also did enable server-status in http to find out more information about the proces, but these processes were not displayed.

Then we run rkhunter, it didnt detcect any malware.
My question is how can we be sure this vps isnt hack, how can we find out more information about the perl processes?

Thanks a lot.
 
First, please turn on mod_security, to make sure, that these exploits are blocked by your server.

"mosConfig_absolute_path" is used in unsecure Mambo and Joomla sources and with this part of code it is possible to include a remote file in an URL. => So please check the Mambo and Joomla sources and extensions for such exploits and deaktivate them, by renaming the whole folder of the source or extension on that domain. Inform the subscriber of the domain, that you deactivated the source or extension because of security reason.
 
Thanks for feedback! Its really useful. Do you maybe know as well a way to detect all unsecure sourche in one command?
Weve to find files contain mosConfig_absolute_path right?
 
@bob231 :

you could use "find" or "grep" on linux based systems.
Code: 
Example:

grep -H -r "mosConfig_absolute_path" /var/www/
This will search for the pattern "mosConfig_absolute_path" in the folder "/var/www/" recursively. Depending on your domains and files on your system, this could take a while... get some coffee and enjoy the sun while the search takes part. ^^
 
You must log in or register to reply here.

Similar threads

M
Resolved Failed to start The Apache HTTP Server: SELinux impedisce a /usr/sbin/httpd un accesso open su file /var/log/modsec_audit.log. -- SOLVED --
Replies
0
Views
2K
mmcomputers
M
Luiz_Gustavo
Issue A lot of www-data processes causing Apache to crash
Replies
1
Views
2K
Peter Debik
P
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
2K
HHawk
HHawk
learning_curve
Resolved Permissions on some of the files packaged by Plesk are incorrect[ERROR] - Post 18.0.69 Upgrade
Replies
19
Views
971
learning_curve
learning_curve
A
Issue Problem with modsecurity - modsecurity_ctl failed
Replies
8
Views
3K
Alfonzo12
A
Back
Top