Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2016-08-18 11:41:15

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,134
GitHub

Re: I think my TXP install is hacked!

jakob wrote #300697:

It’s not happened to me (yet!) but I’ve trawled hacked WP sites for files that “weren’t there”. Any tips on how to find – and then delete – that kind of thing?

In the spirit of openness, and to add to what Ross has already said: there was no evidence in FTP of the file (obfuscated PHP, renamed as a PNG file) or parent directory, even with hidden files enabled. I assumed it was a well-hidden rewrite rule, but couldn’t find any reference in any .htaccess inside the directory tree. So, my plan was to manually create a directory and then a blank or genuine PNG to override the rewrite and see if that took precedence (sometimes does, sometimes doesn’t).

I created a new directory called banners, which should have been called banner. I attempted to rename it, but couldn’t — directory already exists — and the penny dropped. Used Transmit’s “Go To Folder” option and moved to ./banner/ and the bogus file appeared. Ross confirmed it was OK to remove it completely, and it was zapped.

I guess here you knew what you were looking for. But if you’re not sure, and an ftp client won’t show it, could you copy the folder contents to a parallel folder (presumably then not including the “rogue file”), then delete the whole folder (and the “rogue file” with it), then rename the folder back to the previous name? Would something like that work?

I am not certain on this. I haven’t yet checked the full file backup that I took, but if the FTP application couldn’t ‘see’ it in plain sight I’m not convinced it would have come down. That said, it a recursive get/fetch FTP command was sent, maybe it would. I’ll check the download later today and report back.

Would it be discoverable via SSH if FTP doesn’t show anything?

This is more likely. Shared hosting doesn’t usually (in my experience) come with SSH access, alas. Can you imagine the mess if a thousand people had shell access on the same server? Wow!

Offline

#26 2016-08-18 17:23:14

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: I think my TXP install is hacked!

Thanks for the infos, Pete!

FWIW my shared host all-inkl.com does offer SSH upwards of a certain plan.


TXP Builders – finely-crafted code, design and txp

Offline

Board footer

Powered by FluxBB