Scans for EncystPHP Webshell, (Mon, Apr 13th)

Attackers are scanning FreePBX deployments for the EncystPHP webshell (requests using an `md5` parameter) and delivering a payload that installs the webshell and adds multiple backdoor Linux accounts. Probes were observed from 160.119.76.250 and the payload was fetched from 45.95.147.178; administrators should audit the listed accounts and investigate any matching indicators of compromise.