Dz.php and private.php

Has anyone run into these files before?

A client had these files added to a page of their site, which were uploaded as an image. First off I don’t know how any hacker could have gotten access to the Admin section of the site where images can be added. The client has no idea where they came from. I also don’t think the image upload script would accept a file with a php extension yet the name of the file was added into the database in the image column for the page in question as if the upload script worked. I will be looking into that.

My question is, has anyone seen these files before? They look like machine-code when viewing them.

There is a possibility that an approved user (Owners wife) upload an image from say a WORD file or something. Still not sure. Any ideas?

WordPress site?

Look to be Shell script

ala Google

Website Auto Shell Finder Private Scripts - MaDLeeTs › Coding Languages › Perl, Python , Ruby‎
Oct 4, 2013 - Website Auto Shell Finder Private Scripts. Asalam u Alikum All … ‘whmcs/downloads/dz.php’,‘L3b.php’,‘d.php’,‘tmp/d.php’,‘tmp/L3b.php’ …

No it’s not a WordPress site. The page does have a “comments” form on it which has been attacked on a regular basis by spam bots. I’ve blocked around 300 IPs hitting the page/form with ads. This form though is not related to the file uploads in anyway that I’m aware of. Completely different section of the site and database table, but as far as the public is concerned, it is the same page where files were found.

Looking up whmcs/downloads/dz.php brings up a bunch of hacker sites. Boy this sounds like trouble. I wonder how it could have been added where it was found? As mentioned before, the upload section is in Admin.

Are you running any popular open source control panel or management software on this site? There are lots of ways to exploit something to upload a malicious file and once they get a file up there it is trivial to download other malicious files.

wwb_99, no. There’s no open source coding on this site. It is using a back office I made some years ago. In Admin there are a number of checks to validate user on each page before they would have access to where the upload script would process to DB. I’m still suspecting (a valid user) may have tried to upload what they thought was a valid image, but maybe it was a partial downloaded image or an image that was changed like from a WORD document. I have not heard back from the owner yet.

Maybe an FTP hijacking of some sort?

Or if a shared host, maybe from another site?

Well the thing is these files were added using the image upload script, which resizes “images” and puts them into four different directories, Slides, Thumbs etc. So each of these folders had a copy of the two files.


If these files have been uploaded to your website (they have been), then you may assume that you’ve been hacked via these files. I have provided a checklist for getting control of your website after being hacked (it’s been about a year) but you need to (1) change your login password(s) - make them strong (, (2) DELETE EVERYTHING and (3) RELOAD EVERYTHING from your master set of files. After that, I’d also recommend adding your own files to create daily hashes of all your files and compare them with the last daily hashes so you know which files have been changed (and compare that list with your known changes - yes, I’ve written a SitePoint article on that, too, and included code [which needed to be updated after the original posting - ARGH!]).

If you need either the full checklist or the article with its code, you may PM me for those but please check SitePoint’s system first.



Do you mean this one, in the sticky?