All files with extension psaux

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.4
Virtualmin version 7.20.2

Hey. I have noticed that my sites are not available. When I checked I noticed that all files have an extension psaux and they are somehow coded (I can’t revert them). Anyone have any idea what happened? I can’t figure out what this files extension is?

Can you read the readme file, hopefully it not some some of encryption like what was hit with windows.

No, I can’t read it. I can open it, but the content looks like somehow coded.

I’m posting an example on how one of my php files looks like:

Damm, googled with no answer. Is it confined to the website?

No, all websites hosted there are affected.

Looks like a infection, look for running process that might be causing the infection.
is it only on public side or in the system itself. Hopfully you do backups.

Everything is affected including the system files.

I have backups, but for the last two days and there the files are affected as well :frowning: .

I googled README.md.psaux and I have found other sites with the infection but no post of what it is.
Did you install any software around the date of the infection.

Noticed the other site used composer as well.

No! Nothing. Today I just tried to open the sites and saw 404. When I checked I found this.

Bump - for interest and lack of google information on this extension

@ivanovkbg Has this spread to anything outside your sites.

Is there a common app within all the affected sites?

Have you checked in the logs like auth.log and syslog in Webmin > Sustem > System Logs Viewer?

Everything is affected - every site and the system files.

I didnt check the logs, because I’m on vacation without a laptop, but will try using the phone.

ps aux is a command line to show information about running processes. How you ended up with it being a file extension?

Yes, all files has that extension.

What device are using to take photos of the files?
Personally, I would shut down the server itself and try to start back up in safemode when you get back home. If this is spreading? You don’t want it go any further.

Only thing I can find: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/2224/freetype-srcpsauxt1decodec-memory-corruption-vulnerability

I took the screenshots this morning before I left, but I had to leave my laptops behind.

The server is stopped and will try to undestand what happened when I came back. Very strange case - before switching to virtualmin I used for a long period CWP and didnt had any issues. I was happy with virtualmin and probably I should reinstall everything and start from the scratch. I have automated backup on a remote server, but I storage only 2 backups - for the last two days and both are affected and I cant restore.

Do you allow people to upload files to your websites? Could be an injection of some sort.

No! The sites dont provide such an option.

That looks like a ransomware attack. Attackers encrypt the system and offer to unencrypt it for a bitcoin payment. Paying the ransom is generally a bad idea.

If it affects system files, then your system has been rooted and cannot be trusted. There aren’t any currently known root exploits in Webmin/Virtualmin, and haven’t been in several years, so it’s unlikely to be related to Webmin/Virtualmin. But, I’d be guessing if I tried to suggest any specific thing.

Restore from last known good backup, and invest the time figuring out how they got in. If they had root, that’s serious, and means it wasn’t just a web application exploit, it required some kind of privilege escalation. Ubuntu 22.04 is new enough to not be likely to have a privesc bug, so probably a weak password on your root or a sudo capable account. Or, you configured sudo with NOPASSWD for one or more users.

? Been leveraged as an attack vector? Or we now know the OP is phone only access right now. So, maybe something that just shows on the phone?

Maybe this

He took the screenshots from his laptop before he left so not just an Android thing.

Your reference to github is the only hit i found with psaux all together. I am not knowledgeable enough to look at code and make any connection with that link.

all Google wants to hear ps -aux.