In following the various PID’s and knowing ahead of time that this issue is largely related to Plesk and their public admission of a hack existing since v8.2 I was only slightly amazed when I entered the IP of http://188.8.131.52/.
It goes directly to a Plesk test page that appears as a place hold page and shows the customer that Perl, ASP, etc. are working. Some of us have already experiment with deleting the /test DIR on all sites. This appears to be the ingress.
Be careful that the customer has not put any of their files in the /cgi-bin/test DIR but it isn’t likely. There are two /cgi-binb’s. One for the main site above the root and one in/httpsdocs.
ls -lah /var/www/vhosts/*/cgi-bin/test/* rm -fr /var/www/vhosts/*/cgi-bin/test ls -lah /var/www/vhosts/*/httpsdocs/test/* rm -fr /var/www/vhosts/*/httpsdocs/test