Running a pre-8.x version of Plesk? You are probably already hacked.

To find out, run this grep as root:

 # grep passthru /var/log/httpd/access_log*

See something like this?

 [root@this_could_be_you root]# grep passthru /var/log/httpd/access_log*
 /var/log/httpd/access_log.1:68.178.241.194 - - [19/Nov/2007:10:48:30 -0600] "POST 
 /horde/services//help/?show=about&module=;%22.passthru(%22%22.chr(47).%22bin%22.[...exploit code redacted...]

Yeah. You're hacked. Go ahead and clear out /tmp and /dev/shm. Then, schedule an upgrade of Plesk to 8.x. In the meantime, you'll want to close this gaping hole. And it's really, really hard. Nah, Plesk just doesn't care to support this ancient, well-known vulnerability. Here's how you can disable the vulnerable script with a one-liner:

 # cp /usr/share/psa-horde/services/help/index.{php,bad}
 # ed  -s /usr/share/psa-horde/services/help/index.php  <<< $'1 a\necho "Help is temporarily unavailable.";\nexit;\n.\nw'
 # diff /usr/share/psa-horde/services/help/index.{php,bad} 
 2,3d1
 < echo "Help is temporarily unavailable";
 < exit;

This disables the vulnerable script. Yeah, I could go get the patch from the good people at Horde and put it in place, but, really, why bother? Disabling the script removes the problem for sure and Horde's Help is...non-essential. Maybe just "chmod 0000 /usr/share/psa-horde/services/help/index.php" or even "rm /usr/share/psa-horde/services/help/index.php" would be acceptable.

Anyway... please be careful with old software.