Quote from: nicboyde at Sep 15, 2018, 07:34 PMQuote from: tm2000 at Sep 14, 2018, 06:32 PM
I had a site go down.
Many of us have been blitzed. If you didn't have a backup, here're some remedial steps to buy you some time.
In addition to meddled-with .htaccess and oddly-named php files in the web root you should check for:
Any directory where the date is out of step with all the other (installation) dates will probably have a dodgy php file, or an .ico file which is really a php file in disguise. The hacking program seems to provide file dates on the dodgy stuff equal to neighbouring (legitimate) file dates but does not do the same for the directory in which these dodgy files are placed.
Check your index php files wherever they are. The one in the webroot too. It may well have a few lines inserted just after the
Hi there.
I followed the process you suggested, and reviewed every individual php and ico file and removed the code which the hackers are injecting.
Reset up the site from a fresh install - then connected back to the original db.
I thought that had sorted it - but this morning the php files all have the injected code again, and I have index.php files in directories which shouldn't be there.
Interestingly - I also have the site installed on a subdomain (which is where I prepared it for the fresh install) and THAT site is fine still.
So, I'm a little confused as to how they are accessing the files - it doesn't seem as though they have access to the DB - because if they did - the dev site would also be infected, but similarly - if there were some infected files on the dev site before I moved it back - those too would be infected.
Very confused!!