Quote:
Originally Posted by HEAT
Yes, all backdoors had the same strings starting with 6966202873 in my case.
|
Thanks, I've already found a few backdoor files in the thumbs folder of one of my ST installations. The string to search for is indeed "6966202873" on my backdoor files too
So people search your servers:
grep -R "6966202873" * > list_of_backdoor_files 
Oh, and the backdoor files are called "sync.php, thumbs.php and backup.php" in my case, user:group -> nobody:nobody