Yeah, it sounds like ransom ware but usually that comes with a ransom demand. Well, at least a semi competent axehole crook would figure out the order of the exploit execution. 
Itâs just strange that searches donât turn anything up. Maybe the extensions are randomized somehow to try and cover tracks? I know I saw a machine try domain after domain trying to phone home once. Most of the domains were random gibberish. One actually announced âransomwareâ in the DNS request.
Yâall are reading too much into the file extension.
For sure it is not related to the phone. This morning I saw that all sites return 404 and when I checked I saw that all files have that extension and cant be loaded as php files.
The first idea was just to remove the extension, but I saw that the content of the files is somehow coded.
Tried to search in google - nothing.
Very strange case.
When you said earlier âsystem filesâ were affectedâŠbut the web server is still running? What system files do you see that are encrypted?
For example virtualmin-src.psaux.
Probably my mistake and the system files are not encrypted.
Thatâs an extremely important distinction. If system files are affected in any way, then you know the system has been rooted and has to be reinstalled from scratch. You can never again trust a system that has been rooted.
But, if itâs just one user, then it may just be that one web app thatâs exploited. In which case, restoring a known good backup for that one user/domain may be sufficient, as long as you figure out what was exploitable in the old website and fix it (maybe a web app update, or if itâs custom codeâŠwell, youâre own your own if itâs custom code).
I have found other infected system just googleing readme.md.psaux.
ie https://www.agpgarage.fr/node_modules/mime/
node.js seem common to the sites.
but that maybe the search I did and a coincidence.
I wonder which version they were using - it has had some problems recently particular to npm vulnerabilities - another reason why updating and monitoring old systems is important.
Upload a couple files to VirusTotal and see if they come up with hints what infection it could be.
Just an update from me.
I tried to upload some files to VirusTotal, but nothing.
I already reinstalled the server and tried to improve the security of the server, so no Iâm waiting :D.
Thanks for that! so often on here there is no solution or update to issues raised 
did you ever determine if it was a nodejs application? npm package or something else.
Proven Data - Free Ransomware Identification Service
and
I would recommend
I donât think it was related to nodejs app because I didnât have any such apps. Only a few php apps were running.
Your first screenshot shows a composer file and seem to be setup to pull files, so its not a standard website.
@ivanovkbg - thats ransomware - cut all noise and save your time - rebuild your server from scratch and if you used some cms like wordpress or presta or opencard etc, install only latest versions, also ssh only via ssh keys no password. There is no reason you should spend any more time or energy to decrypt the files - even decripted its no use as someone had find way in - remove the files and db too. I am sorry but - Good luck.
psaux = rasnsomware - its been on google long time.
I already did it - starting with a fresh installation.
On the server there are no sites using those CMSs.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.