Anyone running a plesk server prior to version 10.4.x should be looking at this as a matter of urgency.

1 and 1 have put together a good FAQ on what to look for, and how to patch or upgrade your server to the latest version.

A quick run through on what they say:

1. A couple of tips on how to pick up on a possible infiltration – namely: sharp increase in traffic, server running slower than usual, unknown processes in the processes list. (See 1and1 FAQ)

2. If you have been compromised then you need to backup your files and do a server re-image to the latest version of plesk. Choose completely new passwords for everything when you re-image because you can’t be sure that the originals haven’t been exposed.

3. If you haven’t been compromised the suggested route is to upgrade your server to plesk 10. This isn’t always possible, in cases where you can’t upgrade there is a patched solution, see below:

Patching your plesk server

SSH into your server and run the following command:
wget http://kb.parallels.com/Attachments/19203/Attachments/plesk_remote_vulnerability_checker.php

Now run:
php -d safe_mode=0 plesk_remote_vulnerability_checker.php

The response should either be “The patch has not been applied.” or “The patch has been successfully applied”. If the patch HASN’T been applied, run the following commands:

wget http://kb.parallels.com/Attachments/18827/Attachments/api.tar.gz
tar xfvz api.tar.gz

mv /usr/local/psa/admin/plib/api-rpc/Agent.php /usr/local/psa/admin/plib/api-rpc/Agent.php.backup

cat version

Then patch to the version that the last command gave us using:
cp api/ plesk-10.1 /Agent.php /usr/local/psa/admin/plib/api-rpc/Agent.php
Replacing plesk-10.1 with whatever version it told you.

Now run the plesk vulnerability checker again with:
php -d safe_mode=0 plesk_remote_vulnerability_checker.php

It should now say “The patch has been successfully applied”. Be sure to change all your passwords anyway. The full 1and1 FAQ can be found here

DTF Digital