Malware is spreading through Linux and FreeBSD web servers, and uses various plugins to infect systems that are not up to date with security patches.
According to The Register, the “Mayhem” malware targets *nix servers and transmissions have been traced from compromised computers to two command and control (C&C) servers. So far 1,400 machines have been found to have fallen to the code, with potentially thousands more to come.
Once the malware exploits an RFI, or some other weakness, to run a PHP script on a victim, it drops a shared object called libworker.so onto the infected system and pings its C&C servers. It then creates a hidden file system, usually called sd0, and downloads eight plugins, none of which were picked up by the VirusTotal malware scanning tool.