Hi, my Kloxo-MR ( ver 6.5.0.f-2013031808 ) VPS was hacked - all sites on admin accounts got "tgrl.html" file with content:
<html><head><title>Hacked By TurkTeam</title>
<link rel="SHORTCUT ICON" href="http://i.imgur.com/n54dIAD.gif">
<link href="http://fonts.googleapis.com/css?family=Orbitron" rel="stylesheet" type="text/css">
<link href="http://fonts.googleapis.com/css?family=Share+Tech+Mono" rel="stylesheet" type="text/css">
<style type="text/css">
body { color:#04BA4C;background:url(http://3.bp.blogspot.com/-D6nQQ3d_wfw/Ts31QI5aQPI/AAAAAAAAAgA/mMEBDufqDpk/s1600/0_1_1.gif) repeat center center fixed black;}
#q {font: 20px Share Tech Mono;color:darkgreen;}
.container > p {
<------>text-shadow: 0px 0px 20px #CC0000
}
.container > font {
<------>text-shadow: 0px 0px 20px #CC0000
}
#shadow {
<------>text-shadow: 0px 0px 20px #CC0000
}
</style>
<meta name="keywords" content="turkteam,hacked,defaced,hacked by turkteam,turkteam.org,hacked by turkteam.org">
</head>
<body>
<div class="container">
<br>
<center><br><br><br>
<font id="shadow" face="Orbitron" color="red" size="6">Hacked By </font></center><center>
<br><font id="shadow" face="Orbitron" style=" " color="red" size="6">TurkTeam</font><font style=" text-shadow: 0px 0px 20px #CC0000; " face="Orbitron" color="white" size="6">.Org</font></center><font face="Orbitron" color="white" size=
</font><center><br>
<img src="https://fbcdn-sphotos-c-a.akamaihd.net/hphotos-ak-xpa1/t1.0-9/10458112_331116590372224_7650303515172725644_n.jpg" width="600" height="250"></center><center><br>
<p><font id="shadow" face="Orbitron" color="white" size="6" >Patlamaya Hazir
</font></p>
<p><b><font id="shadow" face="Orbitron" color="red" size="6" >Bomba</font></b></p>
</center><br><br><br>
<center>
<b><font face="Orbitron" color="#04BA4C" size="5" style=" text-shadow: 0px 0px 20px #04BA4C; ">| S4cuRiTy EneMy | <font color="seagreen">Tgrl5000</font> | K37 King | G!4nT-C0d3 |</font></b></center>
<embed src="http://error-404.do.am/50256-h4ck3d.swf" width="0" height="0"></embed>
</div>
</body></html>
Happened on 28/06/2014 , almost no mentions in LOG files, except apache error log, which shows an attemt to access that tgrl file:
[Sat Jun 28 02:49:24 2014] [error] [client 157.55.39.208] File does not exist: /home/kloxo/httpd/default/robots.txt
[Sat Jun 28 02:51:28 2014] [error] [client 157.55.39.208] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 02:51:28 2014] [error] [client 157.55.39.208] Premature end of script headers: index.php
[Sat Jun 28 02:56:15 2014] [error] [client 41.101.228.11] File does not exist: /home/kloxo/httpd/default/tgrl.html
[Sat Jun 28 02:56:16 2014] [error] [client 41.101.228.11] File does not exist: /home/kloxo/httpd/default/favicon.ico
[Sat Jun 28 02:56:18 2014] [error] [client 41.101.228.11] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 02:56:18 2014] [error] [client 41.101.228.11] Premature end of script headers: index.php
[Sat Jun 28 03:16:59 2014] [error] [client 192.110.165.118] File does not exist: /home/kloxo/httpd/default/components
[Sat Jun 28 03:45:58 2014] [error] [client 157.55.39.208] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 03:45:58 2014] [error] [client 157.55.39.208] Premature end of script headers: index.php
[Sat Jun 28 03:54:55 2014] [error] [client 123.151.149.222] SoftException in Application.cpp:350: UID of script "/home/kloxo/httpd/default/index.php" is smaller than min_uid
[Sat Jun 28 03:54:55 2014] [error] [client 123.151.149.222] Premature end of script headers: index.php
[Sat Jun 28 03:58:13 2014] [notice] Graceful restart requested, doing restart
[Sat Jun 28 03:58:16 2014] [notice] Digest: generating secret for digest authentication ...
[Sat Jun 28 03:58:16 2014] [notice] Digest: done
Any ideas would be appreciated.