0

I keep getting a file called "wp-sil.php" uploaded to my one specific folder. When i copy the file to my desktop so I can examine it, it removes itself.

When I open the url sting live on my website, I see the entire folder content and options to delete/edit/modify.

At the bottom there is a signature: https://www.google.ca/search?q=B+Ge+Team+File+Manager+Version+1.0%2C+Coded+By+Little+Wei&rlz=1C1CHBF_enCA711CA711&oq=B+Ge+Team+File+Manager+Version+1.0%2C+Coded+By+Little+Wei&aqs=chrome..69i57j69i64l3.330j0j4&sourceid=chrome&ie=UTF-8

Of course I deleted the file from each folder that I found it in but I am worried it will come back again.

I have changed every password I could think of, changed all ftp access and only have a few people accessing the ftp (to a specific folder), added godaddy's malware protection to scan everything and it came back with nothing. I blocked a bunch of different country's IP addresses.

I back up the files weekly so I am not worried losing anything but it will cause an slight inconvenience if the current live files are effected.

Is there a way to block a filename from being uploaded or block unauthorized uploads in general? Or at least check who is behind this?

BragDeal
  • 115
  • 3

1 Answers1

3

You are probably using a vulnerable application (maybe an old version of Wordpress, old themes, outdated plugins..., just guessing) and someone is using such a vulnerability to upload promiscuous files and abuse your server / services. You should update everything.

Or you may have a vulnerable service (do you have root access to your server? Do you update your system regularly?)

Or you may have a compromised account because of weak passwords or stolen credentials.

Restoring a backup won't be enough.

You'll have to check at least this three aspects before you'll have a chance that you can get rid of this.

Also you did provide very few details in order to receive more than a general help like this.

Marco
  • 1,679
  • 3
  • 17
  • 31
  • So just because some of my clients have never updated their worpdress site (hosted on my server within an inner folder), someone can inject a file to every single folder? No one has access but me, I've also changed all passwords just in case – BragDeal Aug 29 '17 at 19:36
  • Yes, exactly. You shouldn't host sites in sub folders but in separate chrooted environments using linux and apache vhosts. – Marco Aug 29 '17 at 20:59
  • It depends on your file system permissions for different clients and your web server where they can upload files. – Tero Kilkanen Aug 30 '17 at 07:36
  • @TeroKilkanen I've read that he is totally unaware of what customers have on their accounts/domains, so I would use a true chrooting in this case and not just vhosts + per-customer-permissions. – Marco Aug 30 '17 at 09:55