HEX
Server: nginx/1.29.3
System: Linux 11979.bigscoots-wpo.com 6.8.0-88-generic #89-Ubuntu SMP PREEMPT_DYNAMIC Sat Oct 11 01:02:46 UTC 2025 x86_64
User: nginx (1068)
PHP: 7.4.33
Disabled: exec,system,passthru,shell_exec,proc_open,proc_close,popen,show_source,cmd# Do not modify this line # 1684243876
$ pwd: /proc/1284357/root/bigscoots/cpanel/
Upload Files
File: //proc/1284357/root/bigscoots/cpanel/cryptohack.sh
#!/bin/bash

until ! ps aux|grep "./cron.php -e0.0.0.0 -p" |grep -v grep > /dev/null 2>&1; do
	PIDHACK=$(ps aux|grep "./cron.php -e0.0.0.0 -p" |grep -v grep| awk '{print $2}' | head -1)
	PIDUSER=$(ps -o uname= -p "${PIDHACK}")
	echo "cPanel User: ${PIDUSER}" > /root/tmpdtshack.txt
	echo "PID Info:" >> /root/tmpdtshack.txt
	echo "---------------------------" >> /root/tmpdtshack.txt
	/usr/sbin/lsof -p "${PIDHACK}" >> /root/tmpdtshack.txt
	echo "---------------------------" >> /root/tmpdtshack.txt
	kill -9  "${PIDHACK}"
	cat /root/tmpdtshack.txt | mail -s "$HOSTNAME - cPanel User: ${PIDUSER} infected -  info in ticket." [email protected]
done
@ Telegram