Hey. I have noticed that my sites are not available. When I checked I noticed that all files have an extension psaux and they are somehow coded (I can’t revert them). Anyone have any idea what happened? I can’t figure out what this files extension is?
Looks like a infection, look for running process that might be causing the infection.
is it only on public side or in the system itself. Hopfully you do backups.
I googled README.md.psaux and I have found other sites with the infection but no post of what it is.
Did you install any software around the date of the infection.
What device are using to take photos of the files?
Personally, I would shut down the server itself and try to start back up in safemode when you get back home. If this is spreading? You don’t want it go any further.
I took the screenshots this morning before I left, but I had to leave my laptops behind.
The server is stopped and will try to undestand what happened when I came back. Very strange case - before switching to virtualmin I used for a long period CWP and didnt had any issues. I was happy with virtualmin and probably I should reinstall everything and start from the scratch. I have automated backup on a remote server, but I storage only 2 backups - for the last two days and both are affected and I cant restore.
That looks like a ransomware attack. Attackers encrypt the system and offer to unencrypt it for a bitcoin payment. Paying the ransom is generally a bad idea.
If it affects system files, then your system has been rooted and cannot be trusted. There aren’t any currently known root exploits in Webmin/Virtualmin, and haven’t been in several years, so it’s unlikely to be related to Webmin/Virtualmin. But, I’d be guessing if I tried to suggest any specific thing.
Restore from last known good backup, and invest the time figuring out how they got in. If they had root, that’s serious, and means it wasn’t just a web application exploit, it required some kind of privilege escalation. Ubuntu 22.04 is new enough to not be likely to have a privesc bug, so probably a weak password on your root or a sudo capable account. Or, you configured sudo with NOPASSWD for one or more users.
He took the screenshots from his laptop before he left so not just an Android thing.
Your reference to github is the only hit i found with psaux all together. I am not knowledgeable enough to look at code and make any connection with that link.