• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

PHP script injections, can Plesk help me find the culprit

L

LoïcM

Basic Pleskian
Hi all, my server is compromised as every day I can see malicous PHP scripts created and burried in some websites. I'm able to find these from the access log, looking for POST requests on unusual PHP locations (example : POST /assets/images/actus/start.php HTTP/1.0). So I've created a fail2ban filter to ban IP accessing these URLs but this doesnt stop the root cause of infection.
Can Plesk help me understand how those scripts are created ?
Thank you
 
LoïcM said:
Can Plesk help me understand how those scripts are created ?
Click to expand...
Frankly, it is out of scope task even for Plesk Support Team.
Regarding forum - how you imagine doing a security audit of your server in the scope of forum discussion? Direct root ssh access on your server and serious investigation are required. It is really system administrator's task.
I can suggest you read carefully this documentation, for example - http://docs.plesk.com/en-US/12.5/advanced-administration-guide-linux/enhancing-security.68755/ or https://kb.plesk.com/en/114620
I hope it will help. Or maybe someone from community will help you with security audit of your server.
 
Thank you Igor, I'm parsing many log files since days without finding the hole, so I was just wondering if Plesk had some tools that can point me to some security flaws... I will check your links thanks.
 
This has nothing to do with Plesk but I've just found OSSEC and it's a great tool to know what is happening on a server by checking rootkits, monitoring logs, verify checksum of important files etc..
OSSEC can be find on github : http://ossec.github.io/
 
LoïcM said:
Hi all, my server is compromised as every day I can see malicous PHP scripts created and burried in some websites. I'm able to find these from the access log, looking for POST requests on unusual PHP locations (example : POST /assets/images/actus/start.php HTTP/1.0). So I've created a fail2ban filter to ban IP accessing these URLs but this doesnt stop the root cause of infection.
Can Plesk help me understand how those scripts are created ?
Thank you
Click to expand...

If you rules all security until from your server with panel plesk,
you can use the htaccess:
i assemble all if you want? http://alexonbalangue.me/offline/référencement-sécuriser-votre-site.html, you need to edited the files for adapte for your website.

hacker passed :
  • SSH, XSS, injecting SQL, etc...
next step:
  1. Fix security
  2. Re-build your website
  3. update your website
  4. etc...
 
You must log in or register to reply here.

Similar threads

M
Issue Can't open Port 25. Please help
Replies
2
Views
4K
mhogue
M
PeopleInside
Input Help to do a script for Ubuntu 20 to get an email if Fail2Ban is not running.
Replies
0
Views
949
PeopleInside
PeopleInside
WebHostingAce
Question Wordpress Hacked! Unusual Plesk Behavior
Replies
9
Views
4K
WebHostingAce
WebHostingAce
T
Question Fail2ban trying to setup a rule to ban ai bots
Replies
4
Views
3K
Bitpalast
Bitpalast
jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
5K
Maarten
M
Back
Top