A handful of servers I manage are affected by this today:
About 1 in every 30 was breached before the patch was in most cases pulled, and some pushed. Others were self-managed, so I only get alerted after the fact lol.
Here’s some grief that attackers have done on exploited servers:
- Stole password hashes for every user account on the server (these can be cracked offline over time).
- Stole the MySQL root password and the server’s SSH private keys.
- Created hidden API tokens that would let them back in even after a password change.
- Created 10 unauthorized hosting accounts on the server (likely intended for phishing or scam sites).
- Opened multiple interactive root shells — the contents of what was typed are not logged, so we cannot see exactly what they ran inside those sessions.
- Likely downloaded a list of the accounts and contact details on the server.
No cool!