@LLamaPie Everything has been clean now for about a week. I would consider this at least resolved on our end. Still no answer about when it became compromised exactly. Our hyper-paranoid theory is it may have been a “time bomb”. This could have been on the server for months before popping up. Our long-term solution is keeping endpoint protection in place. I have nothing else to add but if I discover anything I will let everyone know.

@LLamaPie Thanks for testing and letting me know.

@stephanvaningen php-php-gettext is the module it’s looking for, but you can safely remove this. I believe php-common module now provides php-gettext naturally moving forward. Which is part of why Ubuntu/Debian has renamed php-gettext to php-php-gettext.

This is how I addressed the same type of issue with working-1.6, not sure what the best approach with Ubuntu/Debian will be in regards to this though.