StefanGlae
New Pleskian
Hello,
today two of our servers got hacked shortly one after another (between one hour). It looks alike, that the attacker got a bash using a normal user login (the password contains 16 letters, numbers, special charakters). I don't know, how they did that?!?
But they did not blurred their traces, so that I was able to find the "fin.sh" script. This script has made some modifcations in our system, especially it places the file "eng.php" into /opt/psa/admin/htdocs/enterprise/control folder and it also changes the /etc/ssh/sshd_config file.
Is anybody out there from parallels to investigate the backuped scripts?
Kind regards,
Stefan
today two of our servers got hacked shortly one after another (between one hour). It looks alike, that the attacker got a bash using a normal user login (the password contains 16 letters, numbers, special charakters). I don't know, how they did that?!?
But they did not blurred their traces, so that I was able to find the "fin.sh" script. This script has made some modifcations in our system, especially it places the file "eng.php" into /opt/psa/admin/htdocs/enterprise/control folder and it also changes the /etc/ssh/sshd_config file.
Is anybody out there from parallels to investigate the backuped scripts?
Kind regards,
Stefan