URGENT Malware attack

Hi Virtualmin

Since (what we noticed) this last Saturday, we’ve been experiencing problems with out Virtualmin server.
We currently host around 350 websites on it.

At ALL of the websites, www-data seems to upload files on it own, to all the customers.
index_backup.php - File added
.htaccess - File modified
w*********.php - File added

As of now, i do not see any means to track the files or where they come from!
I have found 1 website, where the server itself?! seems to use apache2 to visit the index_backup.php file!

Beyond this, it seemed also to send A LOT of emails - this has been delt with though

Any suggestions to this? Its very URGENT!
Please take a look at the attached screendump.


Did you intend to mark your post as private? I’m the only person who uses the Forums who can see private posts :slight_smile:

I’d highly recommend unchecking the private option, and just making sure that there aren’t any details within your post that contain sensitive information.

Regarding the issue you’re seeing though – what distro/version are you using there?