Posts tagged plesk
install php7 in plesk
plesk sbin autoinstaller --select-product-id plesk --select-release-current --install-component php7.0
Copy to the server, und
tar xzvf it.
cd ioncube cp ioncube_loader_lin_7.0.so /opt/plesk/php/7.0/lib/php/modules/
link it with php
/opt/plesk/php/7.0/etc/php.ini put this:
(Somewhere to the other zend options.)
plesk bin php_handler --reread
Will show you
ioncube php loader (enabled) ... so it actually works.
Now don't use the OS php version (i.e. if you already have php 7 available from ubuntu 16.04), but the plesk one from the dropdown menu in the php settings of your hosting.
If you cannot upload zip files, install
php-zip from your OS's package management. (
apt install php-zip -y)
To show all mailaccounts and the corresponding passwords, use
On older plesk installations, the file may be located differently.
locate mail_auth_view to find the path there.
To show all passwords for all mailaccounts on a plesk installation, do this:
Ever felt the need to dig deep into plesk data model?
Starting with 12.5, there will be some official documentation on this, until it's done see here.
To access a plesk's mysql database, you need the password plesk creates by itself.
Either get it in plaintext:
Or just access the mysql db client with this line:
mysql -uadmin -p$(cat /etc/psa/.psa.shadow)
The best Plesk 11 reference you can find is here.
When receiving a mail like this:
1 Hi Abuse Team, 2 3 This is an RBL nomination for the following lists of IP addresses that 4 are in the process of being listed to the RBL as a spam source 5 and/or is an originating spam source in progress. 6 7 -- IPs listed to the RBL -- 8 here.is.your.ip 9 -- End of IPs listed to the RBL -- 10 11 Please refer to below information for representative spam samples. 12 Additional samples are available upon request from an authoritative 13 requestor. 14 15 Filename: CTR-NET.zip 16 Password: novirus 17 18 -- Example of spam mail -- 19 Spam Sample #1 - [here.is.your.ip] 20 21 Received: from [here.is.your.ip] by <removed> via sendmail with smtp; 22 for 1 recipient; Fri, 04 Jul 2014 07:24:14 -0000 23 Received: by <removed> (Postfix, from userid 10335) 24 id 8D55D7E2640; Fri, 4 Jul 2014 09:24:15 +0200 (CEST) 25 To: <removed> 26 Subject:  Dear Customer! We received your July 1st payment of $2579 which brings 27 your balance to $0. 28 X-PHP-Originating-Script: 10335:yysfgfo.php 29 Message-Id: <removed> 30 Date: Fri, 4 Jul 2014 09:24:15 +0200 (CEST) 31 From: <removed> 32 33 -- End of Example of spam mail -- 34 35 -- Network Information -- 36 37 ...
The important information is in line 28.
$ grep 10335 /etc/passwd
which will give you the user in question.
Then clean the
yysfgfo.php file from his account and the spam issue is fixed.
find <dir_of_webspace> -iname yysfgfo.php will show you where it lies.)
The UID and filename may differ, these are just examples.
Of course the site was hacked, and you/the customer still has to fix and secure it, so future hacks are prevented.
Usually setting a new password, for the users' ftp account (so new malicious scripts cannot be uploaded again) is enough. In case that you use Plesk, you might consider setting a new password for the login to the Websitepanel, too.
spamming just started
If you have not yet blacklist mail or other form of notification and the spamming takes place right at the moment, use these:
# first have a look on the current mail queue mailq
Then you are shown the queue file id (first character sequence at the beginning of the line), sender and other information.
Have a look at some of the suspicious looking emails, using the queue is and
# show mail header and body postcat -q 252977E27B0
There you watch out for entries like
X-PHP-Originating-Script like described in the beginning of the post.
brute force in case nothing helps
If the mailheader does not provide an
X-...-Originating-Script entry, try this:
for i in $(find /var/www/vhosts -type f -name access_log); do COUNT=$(fgrep -c POST "$i"); if [ "$COUNT" -gt 0 ]; then echo "$i"; echo "$COUNT"; fi; done
This approach works due to the most hackers using HTTP POST request to trigger the spam dispatch.
The commands will scan the apache httpd access logs of all webhostings, and have a look at the count of POST commands of sent to a each hosting. You should then have a look at the recently changed files in the folder with the most hits. Keep in mind, that due to the I/O load this might post on the system, it might take a while until this command sequence will be finished.
To have a look on the I/O load, use
top - 10:20:37 up 27 days, 3:09, 2 users, load average: 0.00, 0.01, 0.00 Tasks: 130 total, 1 running, 129 sleeping, 0 stopped, 0 zombie Cpu(s): 0.3%us, 0.0%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st ...
wa percentage given above is the average value of all cpu wait times for the I/O subsystem.
0.0% is no wait, if its like 40 percent or higher the command will take ages to finish.
To turn php error display off in Plesk 11, do this:
- Login to the panel.
- Open the domain in question.
- Tab Websites and Domains.
- Show 'extended options'.
- Open 'website-scripting and security'.
- Tab 'PHP settings'.
- Set 'display_errors' to 'off'.
This might be needed when clients do not update their web presence, using an old php version for development. On the server the php install gets an update, and lot of functions in their code are shown as deprecated at once. To have a proper viewable site, this option helps. Still the code has to be updated, in case sooner or later deprecated functions are removed from the php language. TBH I have no idea if such things happen in the php landscape, but it happens in other programming languages.
View posts from 2017-03, 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10