Knowledgebase

Portal Home > Knowledgebase > Articles Database > Being exploited on system, what's the source?


Being exploited on system, what's the source?




Posted by lovelycesar, 08-29-2012, 01:33 PM
Hello, I am consulting a system that's infected by some kind of malwares that creates phishing files/folders. I have found some traces as this file: So, what's this file? Please help. PS. Maldet was not able to detect this. Last edited by bear; 08-29-2012 at 03:20 PM.
Posted by KMyers, 08-29-2012, 01:41 PM
Hello, This is actually a PHP Backdoor file manager that allows an attacker to upload/download or modify the contents of the server. I ran this code on my laptop and here is what it looks like. If you want to see what the attacker can do, just change the 2nd line to read $auth_pass = "81dc9bdb52d04dc20036dbd8313ed055"; And call the page in your browser, use the password "1234" Make sure you delete it after. These attacks normally happen due to improperly secured applications like WordPress Note: I reported your post to have the mods snip the exploit code, it is best that these not be made public Attached Thumbnails   Last edited by KMyers; 08-29-2012 at 01:46 PM.
Posted by lovelycesar, 08-29-2012, 01:59 PM
Thank you. I am sorry I was not aware that this file should not be posted public. However, I could not delete/edit my previous post.
Posted by KMyers, 08-29-2012, 02:06 PM
No problem, I am sure the mods are used to snipping these so it is not a big deal . Just a few tips, you should consider everything in your account compromised, aside from having the ability to upload files to your website, the attacker also had the ability to view and modify databases. Here is the best way to recover 1) Backup your Database and Files 2) Terminate/Recreate the account 3) Do a fresh install of your software 4) Upload the database 5) Change all passwords and verify that no additional users have been added to the administrative users table. 6) Manually upload all images/css/themes. If you have the original theme, please use that rather then pulling it from the backup


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
/root/installer.lock issue Please Help (Views: 633)
Plesk - Automagically raise the bandwidth limit? (Views: 611)
Release MySQL 5.6 (Views: 600)
Server Location (Views: 652)
Reseller Package (Views: 644)