index.php file has been reported by Configsever exploit scanner

shanthini
(@shanthini)

5 years, 7 months ago

Hi

We scanned our server using Configsever exploit scanner and below is the report. In this index.php file is reported. Could you please suggest is this a security threat. If yes then how to fix this.

Scanning web upload script file…
Time : Sun, 8 Nov 2020 20:36:45 +0530
Web referer URL :
Local IP : xx.xx.xxx.xxx
Web upload script user : nobody (99)
Web upload script owner: xxxx (1004)
Web upload script path : /home/xxxx/public_html/index.php
Web upload script URL : http://xxxx.in/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=upload_image
Remote IP : xx.xx.xxx.xxx
Deleted : No
Quarantined : Yes [/home/quarantine/cxscgi/20201108-203643-X6gJgz1OJkALc9eudZL7HwAAADM-file-BVqI8v.1604848004_1]

Thank you

Viewing 4 replies - 1 through 4 (of 4 total)

George Appiah
(@gappiah)

5 years, 7 months ago
It appears your site is hacked. WordPress’s main index.php file should look something like this:
```
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
```
If you have a pristine backup taken before the hack, simply nuke the current site and restore the pristine backup. If you don’t have such a backup, kindly read this documentation thoroughly to find to how to properly clean up your site:

FAQ My site was hacked

After this, follow the guide below to find out how to properly secure and harden your website to thwart future attacks:

Hardening WordPress
Thread Starter shanthini
(@shanthini)

5 years, 7 months ago
Hi,

Our file also looks similar to the one you shared. Ref link: http://www.sierratec.com/downloads/ref-09112020-1.jpg

So the website is clean

The website is also working fine. In CXS scan alone we got the info like ‘ (Hits:1) (Viruses:0) (Fingerprints:1)’. I have already posted the details in my previous reply

Thank you
- This reply was modified 5 years, 7 months ago by shanthini.
- This reply was modified 5 years, 7 months ago by shanthini.
George Appiah
(@gappiah)

5 years, 7 months ago

This could be a false positive then.

I’ll advise you to contact the ConfigServer folks so they can look into this. Back when I managed cPanel servers I used their products and they had outstanding support.

George Appiah
(@gappiah)

5 years, 7 months ago

OK, let me take a closer look at this:

Web upload script URL : http://xxxx.in/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=upload_image

Is this .in domain your website, or is this pointing to a remote script being loaded on your site? I’m asking because this is pointing to a Joomla installation, not a WordPress site.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘index.php file has been reported by Configsever exploit scanner’ is closed to new replies.

index.php file has been reported by Configsever exploit scanner

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics