Feb 18, 2014
cPanel Access Level
Root Administrator

Recently one of my clients got hacked, a basic Joomla site with weak password.
I have been investigating the activity on the account and server, and found some files that have been uploaded.

They have been spawning a lot of processes with cronjob on the user. The account is Jailed and php is running as the user so I don't thing they have gone any further on my server. Just this user have this type of activity.

I found one interesting script on my clients account, but its quite hard to "translate" what it's actually doing. (See attached file)
Someone have any ideas?
Last edited by a moderator: