A recent Remote vulnerability in Plesk Panel has been discovered.
We suspect the client login's with weak passwords have been compromised due to this vulnerability.
Later injection attack's have been carried out on the compromised accounts by editing the files of the domains using File Manager option in the control panel.
The script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:
On Google diagnostic pages of infected sites you will currently see something like this
or the infected wesites may be blocked and may display "Reported Attack Site".Malicious software is hosted on 2 domain(s), including ctonxidjqijsnzny .ru/, znycugibimtvplve .ru/.
Parallels have released security patches and hot-fixes for this vulnerability and patches have been already applied on all our shared servers.
For our VPS and Dedicated servers :
You may find the patch and instructions to apply them on your servers :
Plesk Patch - Article ID: 113321
*Note: if you face any issues while applying patch on your server, you may contact support, we will do this for you.
**Secondly, we would suggest you to reset the Plesk Control Panel logins and FTP login details to a strong one as soon as possible as a precautionary measure.**
You can also check the "Action Logs" of your plesk control panel to see if there were any malicious login to your plesk control panel :
Plesk 8.6 : Log into Plesk using Admin login >> Select Servers from left pane >> Select "Action Log"
Plesk 9.x : Log into Plesk using Admin login >> Select Settings from left pane >> Select "Action Log"
Plesk 10.x/11.x : Log into Plesk using Admin login >> Select Settings under server management >> Select "Action Log"
If you see multiple logins from Malicious IP, you can report the IP to our support department, we will block that on your server.
For sites that have been already infected and Displaying Reported Attacked Site!
Malware code has been injected in the website. You would need to contact your developer and scan the pages of the website manually for the malware code and remove the malware code.
Alternatively you can scan the website via online scanner ( like Ensure Your Website Security Online with WebsiteDefender etc ) to get the list of infected pages of the website.
once your website is clean, you can then file a review request from your Google's Webmaster Account.
Further Reading : here