Solved

Malicious php file found in site's root directory

Posted on 2011-09-07
7
871 Views
Last Modified: 2013-11-16
I just discovered a hidden file, called .inc.php, in the root of my Joomla site. Its second line identifies it as "WSO 2.1 (Web Shell by oRb)". It contains 63,004 characters and looks pretty nasty, although I can't really tell what it's doing.

I've replaced the site with an earlier version using Akeeba backup. The earlier version doesn't contain the malicious file in the root directory. Hopefully that means it's a version saved prior to being hacked, if that's in fact what has happened.

But whatever enabled the file to enter my site in the first place is probably unchanged, so I may still be vulnerable.

Are there any steps I should take? Is there any action I should or can take beyond replacing the site with an earlier version?

And is this a file that anyone is familiar with? Not sure what else to ask; I'm just a bit worried. I run the site, but it's my client's. It does plenty of business every day, and its database holds plenty of delicate data.

Thanks for any help or advice.
0
Comment
Question by:Jonathan Greenberg
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 36500239
When I've seen something like that, it has been because someone gained access to the server and was able to upload files.  If it happens again, check to see who the 'owner' is.  If it's you then someone may have hacked your FTP access.
0
 
LVL 10

Assisted Solution

by:aboo_s
aboo_s earned 250 total points
ID: 36500509
You should change all your passwords, especially FTP access passwords, make them very hard to be Brute Forced!

Also you should examine the rest of your code for any infections that might be hidden here and there.
You can also check in your log files to see when the server was accessed, this will help identify the time of the breach. And perhaps give you an idea about the size of harm done!
0
 

Author Comment

by:Jonathan Greenberg
ID: 36500616
Thanks, Dave. Thanks, aboo. Passwords have all been changed. Aboo, I'll check the log files. Thanks for the idea.

I'd like to notify the host, which is Rochen. Maybe they would help. But I'm a little afraid of them freaking out and disabling the site. Any thoughts on this?

Thanks again.

Regards,
Jon
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 12

Expert Comment

by:Panagiotis S
ID: 36500713
look up your pc, scan for virus
Dont use any cracked program for ftp client.
0
 
LVL 10

Expert Comment

by:aboo_s
ID: 36500822
Well, you don't have to worry about them freaking out or anything, even if your site was infected their servers can still live with it, actually it doesn't affect the system, only your site!

And yes it would be a very good idea t oconsult with them, they must have the answers you are looking for.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 36500841
I would tell your hosting company.  It may actually be their problem and not yours.
0
 

Author Comment

by:Jonathan Greenberg
ID: 36503903
Contacting them now. Thank you both very much.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question