I didn't think this was possible, but hackers had enough access to upload a backdoor .php file to various websites hosted via OpenLiteSpeed.
They exploited some WordPress vulnerability and uploaded a .php file somewhere containing a backdoor.
This file was a backdoor that allowed you to execute shell commands inside the server.
The version of OLS I used was 1.7.11.
PHP Backdoor:
https://pastebin.com/bQXuRQ26
How were they able to upload this file and still run? OpenLiteSpeed does not block access to this backdoor if you enter the path via URL in browser.
Through this backdoor, Hackers had the ability to run a Cryptocurrency Monero miner, on my server, the command was executed in memory. I didn't find any files of this miner, but when I entered the server and gave the command "htop" I had the process called "./xmrig" occupying 100% of the CPU.
They exploited some WordPress vulnerability and uploaded a .php file somewhere containing a backdoor.
This file was a backdoor that allowed you to execute shell commands inside the server.
The version of OLS I used was 1.7.11.
PHP Backdoor:
https://pastebin.com/bQXuRQ26
How were they able to upload this file and still run? OpenLiteSpeed does not block access to this backdoor if you enter the path via URL in browser.
Through this backdoor, Hackers had the ability to run a Cryptocurrency Monero miner, on my server, the command was executed in memory. I didn't find any files of this miner, but when I entered the server and gave the command "htop" I had the process called "./xmrig" occupying 100% of the CPU.
Last edited: