?
Solved

Malicious php file found in site's root directory

Posted on 2011-09-07
7
Medium Priority
?
885 Views
Last Modified: 2013-11-16
I just discovered a hidden file, called .inc.php, in the root of my Joomla site. Its second line identifies it as "WSO 2.1 (Web Shell by oRb)". It contains 63,004 characters and looks pretty nasty, although I can't really tell what it's doing.

I've replaced the site with an earlier version using Akeeba backup. The earlier version doesn't contain the malicious file in the root directory. Hopefully that means it's a version saved prior to being hacked, if that's in fact what has happened.

But whatever enabled the file to enter my site in the first place is probably unchanged, so I may still be vulnerable.

Are there any steps I should take? Is there any action I should or can take beyond replacing the site with an earlier version?

And is this a file that anyone is familiar with? Not sure what else to ask; I'm just a bit worried. I run the site, but it's my client's. It does plenty of business every day, and its database holds plenty of delicate data.

Thanks for any help or advice.
0
Comment
Question by:Jonathan Greenberg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1000 total points
ID: 36500239
When I've seen something like that, it has been because someone gained access to the server and was able to upload files.  If it happens again, check to see who the 'owner' is.  If it's you then someone may have hacked your FTP access.
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 1000 total points
ID: 36500509
You should change all your passwords, especially FTP access passwords, make them very hard to be Brute Forced!

Also you should examine the rest of your code for any infections that might be hidden here and there.
You can also check in your log files to see when the server was accessed, this will help identify the time of the breach. And perhaps give you an idea about the size of harm done!
0
 

Author Comment

by:Jonathan Greenberg
ID: 36500616
Thanks, Dave. Thanks, aboo. Passwords have all been changed. Aboo, I'll check the log files. Thanks for the idea.

I'd like to notify the host, which is Rochen. Maybe they would help. But I'm a little afraid of them freaking out and disabling the site. Any thoughts on this?

Thanks again.

Regards,
Jon
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:Panagiotis S
ID: 36500713
look up your pc, scan for virus
Dont use any cracked program for ftp client.
0
 
LVL 10

Expert Comment

by:aboo_s
ID: 36500822
Well, you don't have to worry about them freaking out or anything, even if your site was infected their servers can still live with it, actually it doesn't affect the system, only your site!

And yes it would be a very good idea t oconsult with them, they must have the answers you are looking for.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 36500841
I would tell your hosting company.  It may actually be their problem and not yours.
0
 

Author Comment

by:Jonathan Greenberg
ID: 36503903
Contacting them now. Thank you both very much.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question