Hi!
Recently one of my clients got hacked, a basic Joomla site with weak password.
I have been investigating the activity on the account and server, and found some files that have been uploaded.
They have been spawning a lot of processes with cronjob on the user. The account is Jailed and php is running as the user so I don't thing they have gone any further on my server. Just this user have this type of activity.
I found one interesting script on my clients account, but its quite hard to "translate" what it's actually doing. (See attached file)
Someone have any ideas?
Recently one of my clients got hacked, a basic Joomla site with weak password.
I have been investigating the activity on the account and server, and found some files that have been uploaded.
They have been spawning a lot of processes with cronjob on the user. The account is Jailed and php is running as the user so I don't thing they have gone any further on my server. Just this user have this type of activity.
I found one interesting script on my clients account, but its quite hard to "translate" what it's actually doing. (See attached file)
Someone have any ideas?
Last edited by a moderator:
