site is a Joomla 1.6 one (1.6 was a very weird release, abandoned for 1.7 within a few weeks and never really maintained anymore since then).
so yeah, the reason for the abuse complaint was quite obvious for me when I saw this after the first simple ls command:
yes, every 2- or 3-letter folder contains malicious scripts that have been uploaded by attackers, also notice the net2ftp folder.....pretty all of the scripts I checked are 1 liners like:
Code: Select all
<?php header("Location: http://com-wd24.net/space.php?a=218848&c=job_iw&s=j369"); ?>
further compromises on higher levels did not appear, every site on my servers runs kinda chrooted in their own environment with their own user...so even if you get a shellscript up there you can't get higher than public htdocs level.