Recurring Server Compromise Enabled by Legacy Infrastructure (CentOS 6)
Scenario One of our clients received an abuse alert from the hosting provider regarding sustained, excessive CPU usage on a server within our infrastructure. The usage patterns were consistent with post-exploitation activity, specifically resource abuse for cryptomining and lateral network scanning. The provider indicated the server was compromised via an unpatched cPanel/WHM installation (CVE-2026-41940), a […]
Identifying and Eradicating the Ebury Rootkit
Scenario Our work with a newly onboarded client began with an immediate challenge: an active rootkit infection. At the time of our investigation, official documentation from the FBI and NHTCU had not yet been released, which required us to rely entirely on system forensics to identify the Ebury malware and determine the full extent of […]
Client File Transfer Protocol (FTP) Compromise and Phishing Kit Deployment
Scenario During our regular monitoring, we discovered that a domain hosted on a client’s server was compromised. Attackers created a deep, hidden directory within the site’s file structure to host a fraudulent financial login page. This infrastructure hijacking was used to deploy a phishing kit targeting financial services. By nesting this malicious page within a […]