Eboubaker was awarded Best Answer+1000 XP
1mo ago
Please be careful! I was attacked with a similar pattern and the attacker gained remote execution, the attacker used these CVEs
- GHSA-29cq-5w36-x7w3
- CVE-2024-47823 search them online to understand!
Please scan your files and your VPS for aunothorized access or files: do these immedietly:
- scan for any directory with name: ALPHA_DATA
- check your cron tab (under the user running the web server) for any payload.
- check for access logs and current active connections from these bot IPs: 45.148.244.66,23.94.95.228,182.255.1.186,210.57.216.4
- check for any process with name '[ksmd]' that is NOT running as 'root' user
- check for processes with name 'defunc'
If you find anomalies i recommend you scrap the whole VPS and buy new one.
Eboubaker wrote a reply+100 XP
2mos ago
Please be careful! I was attacked with a similar pattern and the attacker gained remote execution, the attacker used these CVEs
- GHSA-29cq-5w36-x7w3
- CVE-2024-47823 search them online to understand!
Please scan your files and your VPS for aunothorized access or files: do these immedietly:
- scan for any directory with name: ALPHA_DATA
- check your cron tab (under the user running the web server) for any payload.
- check for access logs and current active connections from these bot IPs: 45.148.244.66,23.94.95.228,182.255.1.186,210.57.216.4
- check for any process with name '[ksmd]' that is NOT running as 'root' user
- check for processes with name 'defunc'
If you find anomalies i recommend you scrap the whole VPS and buy new one.