Server hacked? Find all the files on a Plesk server that have been modified

Sorry to hear you've been hacked. It's happened to me a few times. Your password is perhaps not strong enough (so change that first).

Hackers tend not to delete your website, rather add extra files for their own bad plans, or add malicious code to your existing files.

Here's how you find what files they've modified on a Plesk server.

1. Get Putty and connect to your server using your SSH login.

2. You need to navigate to the 'vhosts' folder, where all the files are kept for the various websites. For me, this was...

cd ..

cd var

cd www

cd vhosts

Then type this command in...

find -iname '*php' -mtime -3 | more


Change the 'php' bit if you want to find a different type of file (cgi?) or remove the whole -name '*php' bit if you want to find all the types of file... although this will likely bring up lots of log files and statistics files.

Change '-3' if you want to look more or less days in the past. (e.g. -7 is a week).

If you get a whole stack of results, you need to press return to see each next one. Press 'q' if you've found what you're looking for and want to stop.

Good luck!

p.s. Instead of the 'iname' one, here's a line that will find any file modified in the last week that resides within a httpdocs folder (i.e. so the statistics are cut out of the search, but the public folders aren't)

find -iwholename '*httpdocs*' -mtime -7 | more