Something is putting encoded files and changing my PHP scripts on one customer.
Permissions are fine, all software up to date, and it happens even on my self-made scripts.
Then they are being executed like this:
217.16.10.55 - - [14/Sep/2015:09:37:10 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
37.140.192.51 - - [14/Sep/2015:09:38:41 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
178.62.244.117 - - [14/Sep/2015:09:43:22 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
173.201.196.144 - - [14/Sep/2015:09:45:13 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
201.49.15.117 - - [14/Sep/2015:09:45:41 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
69.195.124.83 - - [14/Sep/2015:09:48:02 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
107.182.142.195 - - [14/Sep/2015:09:50:23 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
188.120.239.76 - - [14/Sep/2015:09:53:19 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
205.144.171.38 - - [14/Sep/2015:09:55:01 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
173.201.196.31 - - [14/Sep/2015:09:57:20 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
50.62.176.167 - - [14/Sep/2015:09:59:44 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
91.221.34.10 - - [14/Sep/2015:10:01:11 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
97.74.144.196 - - [14/Sep/2015:10:02:02 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
72.167.232.155 - - [14/Sep/2015:10:04:21 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
68.178.254.121 - - [14/Sep/2015:10:06:43 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26"
50.63.196.147 - - [14/Sep/2015:10:09:01 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 200 92 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"
198.71.227.36 - - [14/Sep/2015:10:13:19 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
77.65.80.246 - - [14/Sep/2015:10:13:56 +0200] "POST /panel/index.php?akcja=loguj HTTP/1.0" 200 565 "http://plotkara.com.pl/panel/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
184.168.27.177 - - [14/Sep/2015:10:15:40 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
97.74.24.182 - - [14/Sep/2015:10:17:13 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
163.178.107.196 - - [14/Sep/2015:10:18:07 +0200] "POST /cgi-bin/stats94.php HTTP/1.0" 404 4199 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0"