Solved

Malicious php file found in site's root directory

Posted on 2011-09-07
7
865 Views
Last Modified: 2013-11-16
I just discovered a hidden file, called .inc.php, in the root of my Joomla site. Its second line identifies it as "WSO 2.1 (Web Shell by oRb)". It contains 63,004 characters and looks pretty nasty, although I can't really tell what it's doing.

I've replaced the site with an earlier version using Akeeba backup. The earlier version doesn't contain the malicious file in the root directory. Hopefully that means it's a version saved prior to being hacked, if that's in fact what has happened.

But whatever enabled the file to enter my site in the first place is probably unchanged, so I may still be vulnerable.

Are there any steps I should take? Is there any action I should or can take beyond replacing the site with an earlier version?

And is this a file that anyone is familiar with? Not sure what else to ask; I'm just a bit worried. I run the site, but it's my client's. It does plenty of business every day, and its database holds plenty of delicate data.

Thanks for any help or advice.
0
Comment
Question by:Jonathan Greenberg
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 36500239
When I've seen something like that, it has been because someone gained access to the server and was able to upload files.  If it happens again, check to see who the 'owner' is.  If it's you then someone may have hacked your FTP access.
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 250 total points
ID: 36500509
You should change all your passwords, especially FTP access passwords, make them very hard to be Brute Forced!

Also you should examine the rest of your code for any infections that might be hidden here and there.
You can also check in your log files to see when the server was accessed, this will help identify the time of the breach. And perhaps give you an idea about the size of harm done!
0
 

Author Comment

by:Jonathan Greenberg
ID: 36500616
Thanks, Dave. Thanks, aboo. Passwords have all been changed. Aboo, I'll check the log files. Thanks for the idea.

I'd like to notify the host, which is Rochen. Maybe they would help. But I'm a little afraid of them freaking out and disabling the site. Any thoughts on this?

Thanks again.

Regards,
Jon
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 12

Expert Comment

by:Panagiotis S
ID: 36500713
look up your pc, scan for virus
Dont use any cracked program for ftp client.
0
 
LVL 10

Expert Comment

by:aboo_s
ID: 36500822
Well, you don't have to worry about them freaking out or anything, even if your site was infected their servers can still live with it, actually it doesn't affect the system, only your site!

And yes it would be a very good idea t oconsult with them, they must have the answers you are looking for.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36500841
I would tell your hosting company.  It may actually be their problem and not yours.
0
 

Author Comment

by:Jonathan Greenberg
ID: 36503903
Contacting them now. Thank you both very much.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
Read about achieving the basic levels of HRIS security in the workplace.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now