VPS exploited for Bitcoin Mining. How to identify the flaw?

Solution 1:

Have you tried to decode that strange string in the access log?

Paste this string:

%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C$

In this site:

http://www.url-encode-decode.com

A quick google search on the decoded ascii text suggest that it's a Plesk vulnerability being exploited.

http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=The+Perils+of+the+Plesk+Zero-Day+Exploit

Solution 2:

You probably don't have the same problem as I did, but my VPS was exploited using a JBoss vulnerabilty, and they installed a web shell (pwn.jsp) and then used it download some perl backdoor shell.

I just wanted to say to be alert on additional backdoors that the attacker could have left. I found my JBoss management console directory with a oddly named WAR file that when deployed would allow the attacker to deploy any application of his choice in my JBoss instalation

I have some more details in another stackoverflow post and even more in a blog post