Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
G
G
German Gavrilov2013-05-27 00:52:09
Burglary protection
German Gavrilov, 2013-05-27 00:52:09

I found extra files on the server, it looks like I hacked - I don’t understand?

Good afternoon.

Somehow the site stopped working. It seems to have understood - the place on the server ran out, and the database flew off, cleaned the files uploaded by the user, restored the database and everything started working again.

Today it stopped working again, I thought again the files, got on the server, found the files created five days ago - 12.php and goge.php by code - it seems to be for sending mail and spam ... in the code I met this

<font color=red>FakeSender by POCT</font><br>
  Special for <a href="http://fuckav.ru" target="_blank">FuckAV.ru</a>


Plus, in the afternoon, several files were deleted from the site code, that it stopped working ... what to do ?? Understand what to change passwords - how to check for a flooded shell (

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
J
joneleth, 2013-05-27
@joneleth

lmgtfy.com/?q=linux+search+php+shell

Report
P
Pavel Zagrebelin, 2013-05-27
@Zagrebelion

Do not check in any way, but redeploy the OS and the site from backups. This is faster and easier than looking for where playful hands could get into and which system files were replaced.

Report
E
elliadan, 2013-05-27
@elliadan

Check ftp logs, web access logs (web server logs), bash history (just in case). If the file was uploaded via ftp, then there will be references to the files 12.php and goge.php - you will see who and when, and from where.
If through a hole in the application, it’s more difficult, but at least you will see when and “about how” - look for the first call to them in the web server logs.
“Check” is something like the
grep goge.php /path/to/log/file
bash history command (usually the file /home/username/.bash_history) to check if there was any suspicious activity from users who logged into the server via SSH
. Well, it would not be out of place to change passwords, at least for FTP.
this is, in short, "what to do" :)

Report
D
Daniel Newman, 2013-05-27
@danielnewman

maldet and a second, domestic php script for searching ... how about it. Search for maldet in the comments.

Similar questions
A
Andrey Ivanov2017-10-14 17:26:11
Is it worth talking about the vulnerabilities found? 2Reply
D
Denis Artemiev2017-10-17 10:34:00
How to exclude the possibility of hacking on the site? 1Reply
D
Daniil Tikhonov2017-11-24 09:36:25
How to prevent contact form hacking? 2Reply
T
Tom Nolane2017-12-11 10:54:03
Web site pentesting audit. Who used? 2Reply
G
Grigory Khrimyan2017-12-26 09:34:47
How to secure your backend from developers? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question