Already done. They're using the SQL injection to create a new page entry in the menu_router table whose access function was file_put_contents(). They then call this new page (in our case, they called it "nqabio") to…
I should add that the file was created by www-data:www-data, which for us stands out like a sore thumb as something created by a web page and NOT a user - our build process usually leaves it with a different user as the…
So, while patching our sites for this, we found one which apparently had already been patched. This was highly suspicious, especially since the file mod date is listed as approximately 9 hours ago when nobody was using…
Already done. They're using the SQL injection to create a new page entry in the menu_router table whose access function was file_put_contents(). They then call this new page (in our case, they called it "nqabio") to…
I should add that the file was created by www-data:www-data, which for us stands out like a sore thumb as something created by a web page and NOT a user - our build process usually leaves it with a different user as the…
So, while patching our sites for this, we found one which apparently had already been patched. This was highly suspicious, especially since the file mod date is listed as approximately 9 hours ago when nobody was using…