Article ID: 115025, created on Oct 25, 2012, last review on Aug 12, 2014

  • Applies to:
  • Plesk for Linux/Unix
  • Plesk for Windows


Parallels Plesk Panel (PP) servers that have been compromised via the Remote vulnerability (CVE-2012-1557) might contain malware, even after being patched.


Exploits can stay undetected on the server because Parallels Plesk Panel updates only close security holes, and does not remove malware that is already present.

Please Note:
The malware discussed in this article was not and is not delivered with Parallels Plesk Panel when present on a server; it was brought from outside through the Remote vulnerability.
Clean installations of Parallels Plesk Panel 10.3 + MU#5 and Parallels Plesk Panel 10.4 and 11.0 are not infected; however, upgrades from older Parallels Plesk Panel instances to these new Parallels Plesk Panel versions may still be impacted.


As a part of Micro-Updates
As a standalone script

The Malware Removal Script has been issued as a part of the following Micro-Updates:

Parallels Plesk Panel 8.6.0 MU#21
Parallels Plesk Panel 9.5.5 MU#10
Parallels Plesk Panel 9.5.4 MU#27
Parallels Plesk Panel 10.4.4 MU#47
Parallels Plesk Panel 11.0.9 MU#23

Please check the current Micro-Update version using the steps from the end of the following article: Using Micro-Updates in Parallels Plesk Panel

This script targets known malware affecting Parallels Plesk Panel and neutralizes the malware.
Note: The fix will be applied on PP 8.6 and PP 9.5 one day after the update is installed.
The Malware Removal Script has been also published as a stand-alone version for use with the Parallels Plesk Panel builds that do not support Micro-Update technology; the scripts are attached:

  • Parallels Plesk Panel 8.x for Linux
malware_removal_script_linux_8.php  (MD5 adc773e10f5ab688141ec3aa34341cd4)
# /usr/local/psa/admin/bin/php malware_removal_script_linux_8.php

  • Parallels Plesk Panel 9.x and above for Linux
malware_removal_script_linux_9.php (MD5 183ae900fcf14b8e90b6f47686d0e5f8)
# /usr/local/psa/bin/sw-engine-pleskrun malware_removal_script_linux_9.php

  • Parallels Plesk Panel 8.x and above for Windows
malware_removal_script_windows.php (MD5 7dedaa220fdfc2bdc38d5cdc210bc2f3)
# "%plesk_bin%\php.exe" -dauto_prepend_file="" malware_removal_script_windows.php


a914db3fdc7a53ddcfd1b2db8f5a1b9c 56797cefb1efc9130f7c48a7d1db0f0c 29d1e90fd304f01e6420fbe60f66f838 85a92ca67f2200d36506862eaa6ed6b8

Email subscription for changes to this article
Save as PDF