09-19-2017, 01:37 AM
The leftovers seem to indicate that they used some kind of a vulnerability to upload an uploader PHP code and then uploaded whatever they needed using that. Anyway, I use SSH / SCP with cert-based access, passwords are disabled there.