I recently noticed two .php files in the directory above my root folder. I don't recognize them or know what they do. I contacted my webhost to see if they put them there and after much back and forth determined that they hadn't. I was able to figure out from my security logs that 2 ip addresses (both supposedly owned by amazonaws.com) seem involved. I found their requests in my 404 error logs, each made what looks like one request for the file from my site url (www.mysite.com/cg-123.php) and 1 request for (www.mysite.com/cg-123..php?print_path=1). One made these attempts on one day and that was the first and last I saw from that IP. The other made identical attempts for the other file the next day, and that was the last I saw from that IP. (I looked up both IPs and no red flags, but I realize they could be fakes.) Looking at the file info on the files in my FTP agent, it shows the files were modified at the same time these requests were made (even though they appear to have resulted in 404 errors.) I have no idea how this could have happened. Again, this is happening in the directory ABOVE my root folder, which I thought was more secure. I have a LOT of security in place on my site and keep up on site security maintenance.
The fact that this is occurring in the directory above my root folder blows my mind.
1. Is this an attack at the server level? Are there any other ways this could occur?
2. Does anyone recognize this type of behavior as a known hack? I am clueless.
3. Is there any chance these are legit? Any known plugins or FTP services or the like to store .php files above the root?
4. How do I figure out how this access to my home directory (above my root) occurred and close it up? (I changed passwords, but it seems like there has got to be a bigger problem here.)
5. How do I restore or clean up the home directory? (all of my backups are only of the root, no idea about the directory above.)
6. Are there any sites that can evaluate .php files to determine what the code does? I don't know code, but I would like to know what has been affected.
Thank you in advance. I appreciate any help.