Hi guys,
On all 6 of our servers (all running cPanel Release tree), somebody last night uploaded some strange files to /var/spool/ named /var/spool/.GGG/ - inside the .GGG folder was a keylogger by the looks of it, and also an output of text (including passwords). This folder was not viewable until a reboot of the server had taken place. This coincided with web sites hosted on the servers being infected with the vbs.psyme trojan which injects malicious JavaScript to the browser.
Has anyone else seen similar things over the past 48 hours, and if so has the entry point been established?
TIA
Steve
On all 6 of our servers (all running cPanel Release tree), somebody last night uploaded some strange files to /var/spool/ named /var/spool/.GGG/ - inside the .GGG folder was a keylogger by the looks of it, and also an output of text (including passwords). This folder was not viewable until a reboot of the server had taken place. This coincided with web sites hosted on the servers being infected with the vbs.psyme trojan which injects malicious JavaScript to the browser.
Has anyone else seen similar things over the past 48 hours, and if so has the entry point been established?
TIA
Steve
