- Plesk for Linux
The permissions for the website index file
/var/www/vhosts/example.com/httpdocs/index.php are being constantly reset to 000.
Sometime after setting the correct permissions 644 using the utility
chmod, they are set back to 000, which causes the malfunction of the website's main page.
The following records can be found in the domain's access log (either
# grep -i "some_script.php" /var/www/vhosts/system/example.com/logs/*
/var/www/vhosts/system/example.com/logs/access_ssl_log:203.0.113.2 - - "GET some_script.php?cmd=chmod%20000%20~/httpdocs/index.php HTTP/1.0" 200 1247 "-" "Dalvik/2.1.0 (Linux; U; Android 8.1.0; X526 Build/OPM1.171019.013)"
/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log:126.96.36.199 - - "GET some_script.php?cmd=chmod%20000%20~/httpdocs/index.php HTTP/1.1" 200 84 "-" "Dalvik/2.1.0 (Linux; U; Android 8.1.0; X526 Build/OPM1.171019.013)"
The script mentioned in the log contains the PHP code which executes shell commands.
The malicious PHP script is uploaded to the website files.
chmod 000 ~/httpdocs/index.php is being constantly passed to it by the attackers.
Connect to the server using SSH and remove the malicious script:
# rm -f /var/www/vhosts/example.com/httpdocs/some_script.php
Also, consider applying the recommendations from the article How to secure a Plesk server?