Over the last week, I was called to check into why a CentOS server was behaving poorly. The server duty was for web/email. The shenanigans were first spotted when a particular email address on the server in question refused to authenticate. I logged into the cPanel, changed the email’s password, and attempted to log into the user’s webmail. The second I logged in, the password was automatically changed again.
So, I started digging around.
Unfortunately, the machine had been severely compromised through a PHP exploit. How did that happen? The machine was deployed and never updated. So, the PHP version being used had long since reached its end of life. Along with around 300 or so other packages that were sorely out of date, the machine was simply a sitting duck.