Plesk Question posted in
The official documentation for Plesk Obsidian can be found here.

Centos PHP server Error – Plesk

I’ve recently taken over a Centos server with plesk installed that had been hacked.

All sites error logs are now showing errors:

[Wed May 31 12:37:12 2017] [error] [client 66.249.73.133] Premature end of script headers: index.php
[Wed May 31 12:52:32 2017] [warn] [client 40.77.167.50] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Wed May 31 12:52:32 2017] [error] [client 40.77.167.50] Premature end of script headers: index.php
~

I’ve never seen anything like this and I’ve been through multiple stack overflow questions.

I’ve tried rebooting, restarting httpd, all the basic stuff and even resetting folder premissions of /var/www.

Can anyone help?

Thanks

Tags:

2

Answers


  1. 0

    You can try to switch Plesk domain PHP handler from FastCGI to PHP-FPM( or even to switch from apache to Nginx)

    Also something from this article can help you or maybe ask Plesk guys in comments.

    Login or Signup to reply.
  2. 0

    The “end of script headers” entries are likely caused by the problem with the PHP handler, as stated in the other error message. Unfortunately, there may be several reasons why the handler can’t read the data. That seems like maybe an Apache log? Can you generate a FastCGI error log? As most attacks only access the particular user which runs the script, and especially because an attack would not likely misconfigure your PHP handler, you might try looking at issues with the specific site code. Permissions may be a good place to start, and if the main directory permission are fine, maybe look at other files. You might want to try creating a new user and simply run a phpinfo(); script from that user to see if PHP itself can work.

    When an account is compromised, nothing in that user’s account is safe. The first thing that an attacker typically does is to upload a webshell. From the webshell, he would have access to modify any file that user can access. Since malware scanning tools usually only find fingerprints of known malware, it’s best to assume the entire account is compromised and to restore it from a backup. Your problems are potentially worse than having PHP errors.

    Therefore, if the server doesn’t have problems with a new account, it may be best to simply toss out that data and work on finding a clean copy to recover from. Alternately, there are companies out there like Sucuri which can help you clean up from a compromise.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search