Mobile app version of vmapp.org
Login or Join
Jamie184

: Your website has been compromised if you're seeing strange files which are obviously not yours. Steps to take: Change all ftp/logins: This will ensure that if it was an ftp account that was

@Jamie184

Your website has been compromised if you're seeing strange files which are obviously not yours.

Steps to take:


Change all ftp/logins: This will ensure that if it was an ftp account that was compromised, the hacker would need to once again find your password
Secure your script: I'd recommend using a penetration tester like nmap or Netsparker to check for sql injection vulnerabilities, xss injection vulnerabilities, or other.
It may have been from a rootkit or control kit, which means the whole server is compromised. You should rebuild the apache server from scratch, or restore the whole shebang from a backup
Double-check all people: I'm not accusing any partner who also works on your site of doing this, but you should make sure that they haven't done something stupid like share their passwords with obscure sites.
Stop people from accessing "hope.php" on your server: Set up your .htaccess file to deny access to any file whatsoever which is named "hope.php".


This code ought to do it (I didn't test it, but it should work):

<Files ~ "hope.php$">
Order allow,deny
Deny from all
</Files>



Do a search: Check to make sure no other strange files are on your server, and make sure all files which are on the server are your own.
De-scramble the file fully: If you can find out a name or an author, you can better determine the source. Often the creators of scripts like this are narcissistic, and will almost always include a credit to themself somewhere.
Most importantly, don't overreact to anything that you find: My site's been hacked before, and that php file wasn't obfuscated. In it, there were heavily encrypted variables named stuff like $backdoor and stuff like that that sounded scary. Upon decrypting, they wound up being pieces of the html template for the shell script. The $backdoor variable was actually just <img src="http://linktoheaderimage" />.


This is the best advice I can offer you, I hope your issue is resolved.

EDIT: I've actually gone ahead and run the script on a codepad, and it doesn't seem to do much of anything. Be wary of it. I'll examine all code fully and see if I can determine what the heck this thing even does...

10% popularity Vote Up Vote Down


Login to follow query

More posts by @Jamie184

0 Comments

Sorted by latest first Latest Oldest Best

Back to top | Use Dark Theme