Re: Something I found on my site

The next time you find something like this, run stat on it and archive all your available logs for anything that has had access to the directory in question. These often come in through flaws in a web application like WordPress, Joomla, osCommerce, or jCow. A good incident response admin can often tell you how it was done and how to fix the security issue.

There's often more than one file, and sometimes they also inject malicious code into legitimate files.

For what it's worth, there are also often FTP uploads or uploads through a control panel's file manager. The attackers do that by compromising a PC and looking for passwords saved in FTP clients or web browsers. So scan and secure any PC you have, any on the same LAN, and any for any contract developers or admins you've had or change your credentials and settings in a way that refuses access to anything you can't clean.

It's much harder to tell exactly how something came to exist on the system after the metadata is destroyed. Some web hosting companies have good free incident response in their security departments, like HostGator.

Comment on Re: Something I found on my site

Replies are listed 'Best First'.
Re^2: Something I found on my site by GnikLlort (Novice) on Apr 26, 2014 at 08:03 UTC
I think thy may of used the hartbleed bug just before my host patched it, I looked at my FTP logs and there where about 400 to 600 login's and all the logs are gone	[reply]
Re^3: Something I found on my site by mr_mischief (Monsignor) on Apr 28, 2014 at 16:42 UTC
This has stepped well beyond Perl. Unless you were using SFTP, FTP-SSL, or scp and were using a flawed OpenSSL library then this was not a Heartbleed issue. If you were then it still may not be a Heartbleed issue. If someone overwrote your FTP log files the most likely reason is to hide FTP activity. Change your FTP passwords, and clean all the systems that ever had FTP access to the site in question as well as any on the same LAN.	[reply]