[resolved] Backdoor Infected (4 posts)

  1. Dolomats0
    Posted 3 years ago #


    my website was bloked by my hoster because they detected a backdoor
    on it i unblock it but still didnt clean this backdoor and i dont
    have any idea how should i start and what should i do my hoster sent me
    this email :

    Problem : Backdoor
    apparent Commande : php.TEST.5 -c /usr/local/lib/php.ini-2 -d register_globals=0 -d magic_quotes_gpc=1 -d session.use_trans_sid=1 -d memcached_pass= -d ovh=best index2.php
    Exécutable utilisé : /usr/local/bin/php.ORIG.5.3.16
    Horodatage: Thu Dec 20 23:02:14 CET 2012

    so if anyone have any idea of what message mean to show me where
    i should start searching

    ty for help

  2. Mike Bijon
    Posted 3 years ago #

    It looks like the command that your hosting company alerted you to is running the script 'index2.php' using a non-standard PHP config. The non-standard config is in '/usr/local/lib/php.ini'

    It's likely the non-standard PHP config allows index2.php to have extra permissions or use extra resources on your server.

    The first steps to resolving this are making non-executable copies of the php.ini and index2.php files and then deleting them. You may need to -ps and then -kill the PHP process on your machine before this works. The backup copies are so that you can read the file contents and figure out where else to check for hacks & trojans on your server ... I'd use "chmod 444 filename" and put them somewhere you won't forget to delete later.


    Once that's fixed, follow Jan's advice and go through those security suggestions. Usually when there's one hack on your server there are many, many more that are hidden elsewhere.

  3. Dolomats0
    Posted 3 years ago #

    Hello peoples Thanks for your answers so i searched for the Index2.php
    and i found it in Xcloner folder and it s not a Backdoor

    i think just becouse i changed an option of "Back up refrech"
    from Ajax to normal and the Xcloner was trying edit the php.ini
    and my Host was taking it as a Backdoor i disabled the plugin and
    changed CHMOD of Xcloner Folder to 700 and now it s fine
    the firwell of my host is not bloking my website it s been 2days now

    OUUUUUUUUUUF thanks god i wasent hacked

    ty All for your support

Topic Closed

This topic has been closed to new replies.

About this Topic