Hacked – folders being created on my server

  • Resolved BetaCandy

    (@betacandy)


    17 years ago

    Someone keeps creating folders on my public_html directory on my domain for https://thehathorlegacy.info. The folders are entitled with names of domains like “www.cartographia.net” – which is a domain I’ve gotten referrer spam from.

    I’ve deleted several plugins that use javascript, thinking that might be where the vulnerability is, but I really don’t know much about it. I ran the site through the scanner at https://blogsecurity.net/ and it found no problems.

    Has anyone seen anything like this, or do you have suggestions on what might be causing it?

Viewing 7 replies - 1 through 7 (of 7 total)
  • whooami

    (@whooami)

    yap — theyre using a php shell.. Look in all your directories for any files that are oddly named or dont look right. Pay close attn to timestamps .. something that has a stangely newer timestamp, for instance.

    If you find a file or files, open it and look inside –if it “looks” malicious, it probably is. Delete the file, if you like or rename it, but write down the timestamp on the file, you will want that later ..

    Do that now, come back and let me know if you find anything. And be methodical in your search, dont miss any directories.. pretend your searching through you kid’s room/significant other’s emails.

    Thread Starter BetaCandy

    (@betacandy)

    Thanks for the quick response.

    Having no clue what I’m looking for, this is going to take a while. And I don’t know what “timestamps” are, sorry. Not seeing anything like that in Cpanel.

    whooami

    (@whooami)

    dont use cpanel’s file manager.. thats your first mistake.

    Go get an ftp client. Look at your site using via ftp.

    Thread Starter BetaCandy

    (@betacandy)

    Okay, I’m not seeing anything with recent dates that I didn’t do myself. Except for the new folder whoeveritis just created.

    I asked my host for help, and they said: “But we have shell_exec and shell disabled from PHP, also, we run an scan every 2 hours that try to find phpshell scripts (besides of another exploits)”.

    *shrug* I’m at a loss. I’ve tried to search for this online, but I’m not finding anything quite like it.

    whooami

    (@whooami)

    if you want help, email me whoo —–AT—– whoo.org — im always up for a good mystery

    I wanted to revisit this thread for anyone that reads it.

    The OP says that her host informed they have the PHP function exec() disabled.

    They dont.

    So either they lied, or didn’t understand her question. The point is that you should never believe what a host says, always check for yourself.

    Thread Starter BetaCandy

    (@betacandy)

    Thanks to Whooami spending DAYS troubleshooting this, the problem is resolved. It turned out not to be a hack or anything malicious, but rather a weird combination of several plugins and some coding in the theme causing 404s to generate new folders. Whooami found that removing any one of several plugins fixed the error, but the best solution was to improve the 404 page’s template coding so that WP-Super-Cache could recognize it as a 404 page (it was trying to cache them, and that was creating the new folders).

    I may not be explaining this very well, but the end result was that a little change in the 404 template’s coding caused this to stop happening. And it was never actually being used by anyone maliciously, which is a relief.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Hacked – folders being created on my server’ is closed to new replies.