What to do if the server was hacked?


2017-03-24 13:35:53 UTC


2017-08-16 04:17:18 UTC


Was this article helpful?

Have more questions?

Submit a request

What to do if the server was hacked?

Applicable to:

  • Plesk for Linux
  • Plesk for Windows


What to do if the server was hacked?


If it is required to investigate how the server was hacked, first of all, do not change anything, leave it all as is. Then, perform the following actions:

  • Isolate server and clone it, if possible. Or create a snapshot of the server.
  • Create a full server backup or full Plesk backup if cloning/snapshot is not possible.
  • (Linux Only)Make a copy of /var/logs directory.
  • (Linux Only)If only one subscription was hacked create a change time file of this directory:

    # cd /var/www/vhosts/domain_name
    # find . -exec ls -ld --time-style=full-iso --time=ctime {} + > ctime.txt

  • (Linux Only)Make a copy of all the new files found in /root/ directory with change time.
  • (Linux Only)Known rootkits can be found using rkhunter tool that is a part of Watchdog extension (How to install Watchdog for Plesk). Check the system with rkhunter:

    # /usr/local/psa/admin/bin/modules/watchdog/rkhunter -c

  • (Windows Only)Export all logs in Event Viewer and save them to the safe place.
  • (Windows Only)Backup all log files of IIS which are located in C:/Inetpub/vhosts/[name of domain]/Logs for all the domains of the server.

Additionally, consider contacting a security company that investigates such cases.

Perform a cleanup of the server using possible options:

  • (Linux Only)If the 'root' user was hacked, it is better to reinstall OS at all.
  • Restore the server from backup or snapshot if any and change all passwords.
  • If there is no backup, kill all strange processes and prevent their execution.
  • Reboot the server to make sure that all the malware processes are closed and not restarted.
  • Suspend the affected subscription, if known, removing content if required.
  • (Linux Only)Remove all the new or strange files found in /root/ directory.
  • Install OS updates.
  • Install any antivirus software and scan the system.
  • Use any online scan services to scan the affected website for any infected scripts.
  • Change all the passwords
  • Perform any actions focused on server security improvement

Additional actions that can be done to protect the server from hacking:

  • Allow SSH access via keyfile
  • Make sure to activate all security functions to prevent new hacks, including SELinux.
  • Use Web Application Firewall .
  • Switch off Perl and Python unless really used and never use mod_perl as well as mod_php .
  • Disable unused services and modules.
  • Always use WordPress Toolkit Security Check to implement security best practices.
  • Install Datagrid VCTR to scan for vulnerabilities.
  • Install VirusTotal Website Check to scan websites using multiple anti-virus engines
  • Install Fail2Ban to block hack attempts.
  • Periodically scan the server for viruses. Applications list can be obtained here .
  • Monitor activity on your server actively.
  • Switch PHP handlers for domains to a higher supported versions.
  • Do not use PHP handler served as Apache module since it is not secure.
  • Make sure that WordPress installations are up-to-date and security settings are enabled.
  • Make sure that all installed application are up-to-date.
  • Filter all unused ports using firewall. Ports that are used by Plesk can be found here .
  • Contact Plesk support, if you guess that the server was hacked using Plesk.
Have more questions? Submit a request
Please sign in to leave a comment.