Found hackers php file. Now what?

I found a php file on my server that they are using to show all of my server details and contains fields that can be used to upload files to my site. Question is how can I stop them from adding that file and find out where they are getting access from?

now, you can start to clean your server, and find the security hole :stuck_out_tongue:

that sounds like some kind of shellscript, and it’s probably not the only file you’ve got from them.

if you are running some premade script/service, try to look for an update, but first scan and loook for suspicious files and folders on the server. a popular place to hide malicious scripts, files and code are in plugin folders to CMS etc… do you have some snippets from the file you found, so we can have a look, to try to find out what it may be and do…?

I have the whole script. It’s 6600 lines long though and I wouldn’t know what bits to post from it.

Here is a partial screenshot

thats very interesting… but we will need some more info

if you can’t post some code snippet, maybe you can tell us how you discovered it, and what it’s called, and where you found it on the server…

there are a lot of shellscripts out there, but a few are more popular than others. from what you tell it looks like madshell, c99, c99 madshell or some other variants or similar types… but it’s hard to tell without seeing it :stuck_out_tongue:

but these scripts has a control panel with ftp/uploading/passwords etc… and it may sound that this is the script you have there…(the controlpanel)(?)

if it is, there will be other files too on your server

yeah, thats the controlpanel. but i can’t really say if it is c99 or some similar, just from the pic. but i can tell you that you need to start looking for other files and folders. these scripts/exploits can embed itself to other files so you better check your whole server. it can hide itself as scripts and pictures. you also need to figure out how this happend, and how they got in.

if you have some premade scripts/services, you’d better update it with a clean copy.

Just saw this in the last line of code:

<?php chdir($lastdir); c99shexit(); ?>

haha i kinda knew it :stuck_out_tongue: :shifty:

ok, then you’ve gotta start cleaning your server. you also need to figure out what is vulnerable there…

this wouldn’t happend to be a wordpress site, as they have been popular targets for this ?

No, I do not run wordpress. I did recently purchase and installed a bunch of codecanyon scripts and this didn’t start happening until I installed them. I will remove them and see what happens.

you also needs to clean up the server. this shellscript/backdoor can create user accounts, dl/upload files, execute code, scan for ftp accounts/passwd, run shell commands, manage mysql databases etc etc and etc…

Already started. Thanks for all the help

no prob dude.

hope you get it fixed :slight_smile: