I’ve found a new PHP file in my document root that I did not put there. It is named “index_syoezp69gf.php” and seems to be a copy of my current index.php file, but with the addition of what looks like a malicious code for directory traversal.
I’ve found this once before, shortly after I first made the index.php page. At that time (several days ago) I deleted it, but today I found it again. I am the only one using the site, but for whatever reason, someone or something is uploading this to the root folder (so I suspect FTP?) - however without logs for the FTP access, I can’t confirm if someone else has accessed my server or not…
This does look like your website is being hacked. One of the possibilities is that someone gained access to your hosting account and FTP details.
But website files can be written through PHP as well, and that’s a much more common attack vector in my experience.
The first option is that your website has a Remote Code Execution vulnerability. For example a file upload function that doesn’t properly check what’s being uploaded and lets people upload their own PHP code to your website. This can be caused by errors you caused or an external developer caused in software you are using. Especially if you’re using outdated versions of software.
And the second, and most common option, is that you may have installed software that contains a backdoor. If you download software from the internet and upload it to your site, there is a chance it contains code that does things you don’t want. If you get it from a trusted source, like a plugin from WordPress.org or a theme from ThemeForest, you’re usually quite safe. But if someone else “kindly” uploaded that same $50 ThemeForest theme somewhere else for you to download, there is a big chance that they made some modifications to the code that lets them hack your site.
As for what to do next, the thing you should do at minimum is reset your hosting account password. Resetting your client area password is probably not necessary, but you can do it anyways for good measure, and enable Two Factor Authentication for good measure if you haven’t already.
But if you want to be really sure your website is safe, the only way to do so if to erase everything on your hosting account and start from scratch. Reinstall all software using fresh copies downloaded from the official sources, and only install software you can trust. Don’t use any (file) backups, as they may still contain the malware.
My account had been inactive for some time and this was a recent build. As far as I know, I installed everything from legit sources and only recently started using PHP. Everything else has been HTML and CSS.
It’s possible they gained access to my cpanel, as the default passwords are weak with just alpha numeric passwords limited to 15 characters. I typically use full range passwords with a minimum length of 20… Nowadays it’s easy to get ahold of simple alphanumeric tables…
I’ve changed all passwords and activated two factor authentication now. I’ll check again in a few days and update it mark this as resolved if everything’s clear.
The third option is that you may have infected software on your PC
For example a cracked website editor like Dreamweaver
which has a built-in FTP client,
and it is enough that you experimented and ran someone’s code on a local PC that way
so that it was automatically uploaded to the server
The oldest I can find regarding the mentioned code looking at this unique part of the code “mm:dwdrfml”
is
The password restrictions aren’t great, but it is what it is. Best practices say you should support much longer passwords, but it’s not like a 15 character alpha numeric password is easy to crack. It’s not like we’re calling it a day with 4-6 digit PIN codes (like many mobile apps do).
That’s still 7.7x1026 options of 15 character passwords, not including the 8-14 character length passwords. So good luck with trying to guess an account’s password.