In the end, the best thing to do is take the server offline and fix it by reinstalling from backups.
If the logs are on the same server that was compromised, the logs could have been altered as well.
Are the websites running with different file permissions to silo possible damage? Or are the sites pretty much sharing all the resources? Are other users involved and able to run scripts? Do they have different widgets and whatnots installed? Were the files timestamped, so you could go back into the logs to try to glean what happened? If someone else has access to the server, maybe they did something to infect it. If there's a database running on it, someone could have faulty code on the system. Without auditing and sandboxing, you're going to have a hard time telling what happened. Third, what custom code is running on the server outside Plesk? How do you know that was even the infection vector? Second, were you up to date on patches and such before the infection or did you patch after? Take the server offline and reinstall and restore backups that are pre-infection. First, if there's a rootkit, you're probably fighting a neverending fight.
0 kommentar(er)
