Malicious php file found in site's root directory
Posted on 2011-09-07
I just discovered a hidden file, called .inc.php, in the root of my Joomla site. Its second line identifies it as "WSO 2.1 (Web Shell by oRb)". It contains 63,004 characters and looks pretty nasty, although I can't really tell what it's doing.
I've replaced the site with an earlier version using Akeeba backup. The earlier version doesn't contain the malicious file in the root directory. Hopefully that means it's a version saved prior to being hacked, if that's in fact what has happened.
But whatever enabled the file to enter my site in the first place is probably unchanged, so I may still be vulnerable.
Are there any steps I should take? Is there any action I should or can take beyond replacing the site with an earlier version?
And is this a file that anyone is familiar with? Not sure what else to ask; I'm just a bit worried. I run the site, but it's my client's. It does plenty of business every day, and its database holds plenty of delicate data.
Thanks for any help or advice.