Issue xmri Infected

[Inma]

Server operating system version

Debian

Plesk version and microupdate number

18.0.55

This server has had an infected hosting which created these files and ran that command using the FTP user and there was no way to stop it, every reboot and change of ftp data... was re-run

that hosting no longer has a web site only mail . So in theory we thought it was fixed but NO, now run this with user 10007

I search xmri no longer shows me any files because the infected website has NO website or place to upload files or infected files... any ideas ?

 

[Peter Debik]

You could try to run maldetect (that's a third party tool) to scan all files on the server for malware, because there might still be infected files on the server if the software managed to access the root level. You should also check that your /tmp partition (or directory) do not have any file execution permissions.

 

[Inma]

hello, yesterday I rebooted the machine and it has already disappeared that attacker... I keep checking and check the permissions of /tmp and scan in Immunify and maldetect.

Thanks