Solved

Malicious php file found in site's root directory

Posted on 2011-09-07
7
875 Views
Last Modified: 2013-11-16
I just discovered a hidden file, called .inc.php, in the root of my Joomla site. Its second line identifies it as "WSO 2.1 (Web Shell by oRb)". It contains 63,004 characters and looks pretty nasty, although I can't really tell what it's doing.

I've replaced the site with an earlier version using Akeeba backup. The earlier version doesn't contain the malicious file in the root directory. Hopefully that means it's a version saved prior to being hacked, if that's in fact what has happened.

But whatever enabled the file to enter my site in the first place is probably unchanged, so I may still be vulnerable.

Are there any steps I should take? Is there any action I should or can take beyond replacing the site with an earlier version?

And is this a file that anyone is familiar with? Not sure what else to ask; I'm just a bit worried. I run the site, but it's my client's. It does plenty of business every day, and its database holds plenty of delicate data.

Thanks for any help or advice.
0
Comment
Question by:Jonathan Greenberg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 36500239
When I've seen something like that, it has been because someone gained access to the server and was able to upload files.  If it happens again, check to see who the 'owner' is.  If it's you then someone may have hacked your FTP access.
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 250 total points
ID: 36500509
You should change all your passwords, especially FTP access passwords, make them very hard to be Brute Forced!

Also you should examine the rest of your code for any infections that might be hidden here and there.
You can also check in your log files to see when the server was accessed, this will help identify the time of the breach. And perhaps give you an idea about the size of harm done!
0
 

Author Comment

by:Jonathan Greenberg
ID: 36500616
Thanks, Dave. Thanks, aboo. Passwords have all been changed. Aboo, I'll check the log files. Thanks for the idea.

I'd like to notify the host, which is Rochen. Maybe they would help. But I'm a little afraid of them freaking out and disabling the site. Any thoughts on this?

Thanks again.

Regards,
Jon
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 12

Expert Comment

by:Panagiotis S
ID: 36500713
look up your pc, scan for virus
Dont use any cracked program for ftp client.
0
 
LVL 10

Expert Comment

by:aboo_s
ID: 36500822
Well, you don't have to worry about them freaking out or anything, even if your site was infected their servers can still live with it, actually it doesn't affect the system, only your site!

And yes it would be a very good idea t oconsult with them, they must have the answers you are looking for.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36500841
I would tell your hosting company.  It may actually be their problem and not yours.
0
 

Author Comment

by:Jonathan Greenberg
ID: 36503903
Contacting them now. Thank you both very much.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CodeIgniter XSS confusion 5 110
SMTP log file for IMSVA 5 67
windows 10 - uninstall Mc Afee asks for password 9 37
Mode / vector of infections and attacks 3 34
This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question