[resolved] unknown .php files in directory above root folder (9 posts)

  1. amfm
    Posted 4 years ago #

    I recently noticed two .php files in the directory above my root folder. I don't recognize them or know what they do. I contacted my webhost to see if they put them there and after much back and forth determined that they hadn't. I was able to figure out from my security logs that 2 ip addresses (both supposedly owned by amazonaws.com) seem involved. I found their requests in my 404 error logs, each made what looks like one request for the file from my site url (www.mysite.com/cg-123.php) and 1 request for (www.mysite.com/cg-123..php?print_path=1). One made these attempts on one day and that was the first and last I saw from that IP. The other made identical attempts for the other file the next day, and that was the last I saw from that IP. (I looked up both IPs and no red flags, but I realize they could be fakes.) Looking at the file info on the files in my FTP agent, it shows the files were modified at the same time these requests were made (even though they appear to have resulted in 404 errors.) I have no idea how this could have happened. Again, this is happening in the directory ABOVE my root folder, which I thought was more secure. I have a LOT of security in place on my site and keep up on site security maintenance.

    The fact that this is occurring in the directory above my root folder blows my mind.

    1. Is this an attack at the server level? Are there any other ways this could occur?
    2. Does anyone recognize this type of behavior as a known hack? I am clueless.
    3. Is there any chance these are legit? Any known plugins or FTP services or the like to store .php files above the root?
    4. How do I figure out how this access to my home directory (above my root) occurred and close it up? (I changed passwords, but it seems like there has got to be a bigger problem here.)
    5. How do I restore or clean up the home directory? (all of my backups are only of the root, no idea about the directory above.)
    6. Are there any sites that can evaluate .php files to determine what the code does? I don't know code, but I would like to know what has been affected.

    Thank you in advance. I appreciate any help.

  2. adpawl
    Posted 4 years ago #

    Put here contents of these files using http://pastebin.com/

  3. amfm
    Posted 4 years ago #

    Here are the two suspicious files. Please let me know if you have trouble viewing them.

  4. amfm
    Posted 4 years ago #



    These are the links, I don't know how to embed the code here.

  5. amfm
    Posted 4 years ago #

    Sorry, I must be doing something wrong.

  6. adpawl
    Posted 4 years ago #

    1. Maybe yes, maybe no. Maybe a server's vulnerability, maybe directly ftp access, or any script vulnerability ...eg. timthumb, old plugin or wp ver.
    2. See point 1
    3. Unlikely
    4. You have to clean up the entire server and remove the vulnerability that has been used for infection
    5. Manual or automatic using script, grep function etc. You can also ask your provider.
    6. ...The malicious code very often is coded (obfuscated). Such code requires manual analysis.
    Is needed a good knowledge of php ... sometimes various tools can help
    eg. ideone.com, decoders from this page http://www.malwarehelp.org/freeware-open-source-commercial-website-security-tools-services-downloads.html

    Check modification time of this files, next try find in server logs how they were created.

    ...Attached files are not the cause but merely the result of the use of vulnerability.
    Constitute a reconnaissance tool in further attacks.


    online scanner:
    ...others: http://www.malwarehelp.org/freeware-open-source-commercial-website-security-tools-services-downloads.html


  7. amfm
    Posted 4 years ago #

    Thanks for your response. I am up to date on wp, themes, plugins, and no tim thumb code in use. Would you mind elaborating a bit on what you mean in your #5 response? I'll check the sites you recommend in #6. My access log only seems to go back a day or so, which isn't too helpful in my case. Is that normal or am I looking at the wrong log? Thanks for the links and tips.

  8. adpawl
    Posted 4 years ago #

    #5 manial - edit all modified files and remove malicous code.
    You can find using grep http://codex.wordpress.org/User:Hakre/Grep_And_Friends#Find_.28infected.29_files_with_grep
    ...by php script (or another) eg using stristr, preg_match etc. functions.
    you can also remove code using str_replace, preg_replace ...

    You can download all files to your pc and using software with batch processing to find/find&replace some code.

    #6 Access Log, something like that

  9. amfm
    Posted 4 years ago #

    Thanks for your help, adpawl. I was able to determine these files were placed by a site I use to run and store backups of my site. It turns out they were supposed to be deleted, but were accidently left behind. Thankfully figured it out right before nuking and starting over from a backup.

Topic Closed

This topic has been closed to new replies.

About this Topic