That’s a good question, but it’s also a tricky one to figure out
It’s often done via a vulnerability in your website, or a plugin installed onto your website.
It could also get there by a bot guessing the admin password of your site, or FTP account.
Usually, it’s the first option though – a vulnerability.
I’d recommend starting by making sure your site and all the plugins are up to date.
You could also take a look at the timestampts on some of those PHP scripts, and then compare that to activity in your Apache access log for that domain. That may give you an idea of what was occurring on your site at the time those were uploaded.
Thanks Eric, that’s what I was trying to show in my post
That I did match the times, and then in the access log. But it still doesn’t tell me much how exactly they got in (or I might be blind;) ), so what I meant was, with that info, time matched, is there info there which tells me what they are actually using to upload those scripts?
Thanks for your attention by the way, really appreciated!
I think what I’d do is view every action performed by the IP “176.31.124.155” as suspicion – and just grep the log file for that IP, and see what they begin doing at the moment they arrive.
However, that POST entry you showed here does appear suspicious:
I’d be very curious what contents are in the file “/media/k2/items/xml.php”, it may be that it contains a vulnerability of some sort.
It’s not going to be possible to get specifics of what they’re doing. You won’t be able to see what occurred during that “POST” request. All you can see is that they performed a POST using that particular file.
So the next step is to review that file, and see if you can determine anything about it that doesn’t look quite right.
If it doesn’t look like outright malware, it may be that it contains a security flaw that they’re taking advantage of… you may want to make sure it’s at the newest revision.
Based on what you post lex that should be joomla with k2 extension. Just to know k2 was reported several times in the past to be vulnerable to all kind of exploits including sql injections. You should check entire site including DB and see what damage is done but before that disable all plugins/extensions what you have installed if not the hacker could get back in no time.
If i was right about joomla maybe you could get better help on their forum as this doesnt have anything to do with virtualmin.
Thanks to both of you for your answers. Yes, that’s a joomla site with K2, but they said issues had been resolved and the site is running all the latest versions. I will go to joomla and ask there, but knew that my original question has more to do with the server, and I know people here know a lot more about servers than over at joomla.
But with the info I’ve gathered I can now go go to them and see what they tell me. I’ll check the xml.php file as well.
You’d definitely want to remove that xml.php script.
Now, how that xml.php script got there in the first place – that information may be lost if that was put there awhile ago. But you could also try the same thing with that script, review the timestamp of it, then look in the Apache logs to see if you can determine who put it there, and what they accessed to do so.
Also, if you haven’t already, you may want to ban the IP addresses you see trying to access those malicious scripts.
So that “strange” code is:
$sF[4] = B
$sF[5] = A
$sF[9] = S
$sF[10] = E
$sF[6] = 6
$sF[3] = 4
$sF[11] = __
$sF[8] = D
$sF[10] = E
$sF[1] = C
$sF[7] = O
$sF[8] = D
$sF[10] = E
and
$sF[11] = __
$sF[0] = P
$sF[7] = O
$sF[9] = S
$sF[2] = T
So yeah, this is 100% hack and your site(s) and probably DB(s) are or could be compromised. Hacker just hide base64 decode so software what you could use to seek/spot the hack have hard time to find it. But i would not delete that file, instead prevent to be written and executed and then search in (all) files inside your public folder for “PCT4BA6ODSE_” and “base64_decode”. After you find all files copy them to your computer and then delete. Just in case you need them to find more compromised files or in case people from joomla or wordpress community need them to help you to repair the damage. This doesnt have anything to do with a server, your sites were hacked for some reason like nulled scipts & themes, old scripts, didnt properly secure your websites, etc… Like i said in my previous post maybe you could get better help from joomla and wordpress community because this problem (probably) started with one of this two CMS.
P.S. I put two " _ " because for some reason forum was changing them but actually “$sF[11]” is only one " _ ".