2021: notice malicious PHP files written in EVERY apache-writable directory in the filesystem.
The malware is index.php files which do an include of a hidden .ico file e.g. .37eb5bf3.ico
Decode the php with https://www.unphp.net/
2021-02-28
- Notice that these files all have different creation dates, from 2020-02 to 2021-02-13 - either the malware is able to set the dates, or they've been accumulating over time.
- delete all the index.phps except for the ones in /etc/drupal. find them with
- put a sample .ico file in ~/malware/sample-ico-malware find / -name index.php -ls
- delete all the hidden .ico
find / -regex ".*/\..*ico" -ls