[BUG] Crypto minining virus

[zazy]

Describe the bug I installed Taiga on a VPS following the guide and using a non privileged user account named taiga. Taiga user account is not able to login via ssh nor FTP and is only available to root via su. Database engine is not exposed to external connections. Apache web server installed on ubuntu server 20.04.2 The VPS hosting taiga had been infected with a crypto mining virus that started to attack lots of other servers. The virus was not identified nor locked by ClamAV. I'm sure infection came in through taiga because all files are owned by taiga user account. I found several scripts in /tmp folder containing cirus upgrade/update instructions. I also found in taiga user account home directory the whole virus scripts and executables. Furthermore all cron actions had been saved in the taiga user account crontab. Server had been now isolated to better investigate on the instance image. On my taiga instance sign-up is idsabled and all projects was private. Really I don't know how this happened. Here to find ideas

Let me know if there is any information you need to investigate how this could be happen. Server is no longer running so I can provide you with logs and config files only. I preserved virus files if it can be useful.