[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 896
  • Last Modified:

Malicious php file found in site's root directory

I just discovered a hidden file, called .inc.php, in the root of my Joomla site. Its second line identifies it as "WSO 2.1 (Web Shell by oRb)". It contains 63,004 characters and looks pretty nasty, although I can't really tell what it's doing.

I've replaced the site with an earlier version using Akeeba backup. The earlier version doesn't contain the malicious file in the root directory. Hopefully that means it's a version saved prior to being hacked, if that's in fact what has happened.

But whatever enabled the file to enter my site in the first place is probably unchanged, so I may still be vulnerable.

Are there any steps I should take? Is there any action I should or can take beyond replacing the site with an earlier version?

And is this a file that anyone is familiar with? Not sure what else to ask; I'm just a bit worried. I run the site, but it's my client's. It does plenty of business every day, and its database holds plenty of delicate data.

Thanks for any help or advice.
0
Jonathan Greenberg
Asked:
Jonathan Greenberg
  • 2
  • 2
  • 2
  • +1
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
When I've seen something like that, it has been because someone gained access to the server and was able to upload files.  If it happens again, check to see who the 'owner' is.  If it's you then someone may have hacked your FTP access.
0
 
aboo_sCommented:
You should change all your passwords, especially FTP access passwords, make them very hard to be Brute Forced!

Also you should examine the rest of your code for any infections that might be hidden here and there.
You can also check in your log files to see when the server was accessed, this will help identify the time of the breach. And perhaps give you an idea about the size of harm done!
0
 
Jonathan GreenbergAuthor Commented:
Thanks, Dave. Thanks, aboo. Passwords have all been changed. Aboo, I'll check the log files. Thanks for the idea.

I'd like to notify the host, which is Rochen. Maybe they would help. But I'm a little afraid of them freaking out and disabling the site. Any thoughts on this?

Thanks again.

Regards,
Jon
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Panagiotis Sweb developer - designer Commented:
look up your pc, scan for virus
Dont use any cracked program for ftp client.
0
 
aboo_sCommented:
Well, you don't have to worry about them freaking out or anything, even if your site was infected their servers can still live with it, actually it doesn't affect the system, only your site!

And yes it would be a very good idea t oconsult with them, they must have the answers you are looking for.
0
 
Dave BaldwinFixer of ProblemsCommented:
I would tell your hosting company.  It may actually be their problem and not yours.
0
 
Jonathan GreenbergAuthor Commented:
Contacting them now. Thank you both very much.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now