We detected a new kind of malware today from a scanning, what it does are:
- Change the host file of the server, that means it affects not only your website, but ALL websites in the server (in the condition that the hack is successful)
- A shell code namely 1.sh will be injected into the user’s account
- A cronjob is created to run every minute to run the 1.sh shell code, so even if your website is clean, it will be immediately affected as the hacking was performed in the server wide but not only in your website account.
Here is a screenshot of the shell code