VPS exploited for Bitcoin Mining. How to identify the flaw?

hacking apache-2.2 vps

Solution 1:

Have you tried to decode that strange string in the access log?

Paste this string:

%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C$

In this site:

http://www.url-encode-decode.com

A quick google search on the decoded ascii text suggest that it's a Plesk vulnerability being exploited.

http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=The+Perils+of+the+Plesk+Zero-Day+Exploit

Solution 2:

You probably don't have the same problem as I did, but my VPS was exploited using a JBoss vulnerabilty, and they installed a web shell (pwn.jsp) and then used it download some perl backdoor shell.

I just wanted to say to be alert on additional backdoors that the attacker could have left. I found my JBoss management console directory with a oddly named WAR file that when deployed would allow the attacker to deploy any application of his choice in my JBoss instalation

I have some more details in another stackoverflow post and even more in a blog post

Related

How can a set a Security Group's email address using PowerShell?
BIND zone also-notify syntax
Postgres replication falling behind - master -> slave, slave, slave
Cannot find upstart logs in syslog despite a log-priority of debug (ubuntu 13.04 & mint 16)
Configuration Defaults for VMWare vSphere Virtual Machines
Delegating Control -- Windows Active Directory
The wisdom of 'server 127.127.1.0' in ntp.conf for virtual servers
Nginx config if and try_files
Session variables not persistent in PHP5/Apache2/Ubuntu12
What could cause an apache server to lock up with "sending reply" processes?
Downgrade IE11 on Windows 2012 Server R2
Puppet: create service before file but notify service if file changes