2 months ago
Upon investigations, it appears that the attacker has replaced large amounts of the operating system with their own files. - Rebooting the server causes the real root user to be replaced with a fake one. - Putting the server in Recovery Mode also causes the real root user to be replaced with a fake. It's currently impossible for us to access the server because even the Recovery medium has been tampered with. To a technician, it may appear that the recovery is working but in reality, the attacker has changed even the kernel with a custom weaponized one. Rebooting the server loads the attacker's kernel and in turn, their scripts which wreck havoc on the server and prevent us from accessing it and extracting any of our data. - It appears to us that they somehow managed to place their modified weaponized kernel wherever you keep your kernel files and the malware is loaded directly from the host (server4you). The second the server boots it loads the attacker's code which keeps us out. The actual user data on the server is intact, so we really need your help to get back access to our files (PHP, photos, etc) and the database we have on the server. If the server boots normally, the attacker's code will attempt to wipe it clean of anything thus destroying all our data. There is no way for us to do anything remotely. - Their scripts can detect connections and will trigger unexpected behavior if we boot the server in Recovery Mode from the control panel. This needs to be done from the Data Center.