Answer the question
In order to leave comments, you need to log in
I found extra files on the server, it looks like I hacked - I don’t understand?
Good afternoon.
Somehow the site stopped working. It seems to have understood - the place on the server ran out, and the database flew off, cleaned the files uploaded by the user, restored the database and everything started working again.
Today it stopped working again, I thought again the files, got on the server, found the files created five days ago - 12.php and goge.php by code - it seems to be for sending mail and spam ... in the code I met this
<font color=red>FakeSender by POCT</font><br>
Special for <a href="http://fuckav.ru" target="_blank">FuckAV.ru</a>
Answer the question
In order to leave comments, you need to log in
Do not check in any way, but redeploy the OS and the site from backups. This is faster and easier than looking for where playful hands could get into and which system files were replaced.
Check ftp logs, web access logs (web server logs), bash history (just in case). If the file was uploaded via ftp, then there will be references to the files 12.php and goge.php - you will see who and when, and from where.
If through a hole in the application, it’s more difficult, but at least you will see when and “about how” - look for the first call to them in the web server logs.
“Check” is something like the
grep goge.php /path/to/log/file
bash history command (usually the file /home/username/.bash_history) to check if there was any suspicious activity from users who logged into the server via SSH
. Well, it would not be out of place to change passwords, at least for FTP.
this is, in short, "what to do" :)
maldet and a second, domestic php script for searching ... how about it. Search for maldet in the comments.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question