Someone is messing with my index.php file. Help!

[david_villa07]

Hello,

For last 24+ hours, some guy is automatically changing my index.php content. I replaced it and fixed it many times, but this guy keeps doing it somehow.

I even changed file permission and changed all credentials. But somehow he's doing it.

Please help.

Thanks!

 

[Mattlav]

Take a look for a second ftp account.. its possible a hacker could have created an account without you noticing

 

[c0rrupt]

Someone has most likely uploaded a shell to your account.

Go over every single file and look for files with names that look out of place

 

[Tango]

Checking the file modified date in directories on FTP Is usually a giveaway for any new uploaded/edited files.

 

[proxip]

Checking the file modified date in directories on FTP Is usually a giveaway for any new uploaded/edited files.

Yap exactly, first you must check the Unknown name file, then delete it, second change all your password like ftp and the other

 

[XooTv]

Dig in deep folders to see if the attacker have saved the shell there.
Check your software name on exploit-db to see if there's any latest bug.
You can't cure only by reuploading original index.php,you need to remove the vulnerablity.

 

[Djlatino]

A good method of checking for shells is using grep on your server (or getting your host to do it for you) using the keywords from https://github.com/emposha/PHP-Shell-Detector. You need to adjust your PHP and MySQL settings to run it, but you can prevent that by just doing it manually. It has a shitload but if you put your mind to it, you can do it manually and quickly.

If I were you, I'd block access to your site entirely with a htaccess redirect till you find where the mess up is.

 

[pxlpserv]

You have shell uploaded on your server. The most important thing is to clean your server now and patch the vulnerable place. The bad news is that your server can become a botnet zombie machine.