I have a web site running with an Apache server on a Linux platform. It is mostly coded with PHP and has MySQL database. Twice in the last few months have been hacked. Last time when it happened I wiped out the whole web site and re-installed. Now it has happened again. I have seem the effect of implanted code yet.
I discovered the issues when I zipped the whole web site and downloaded to my local computer where there is anti-malware software is running. The download was straight away intercepted and indicated there were Backdoor:PHP/C99Shell.G & Backdoor:PHP/C99Shell.E. The file was removed when I accepted the fix. So I did it again and ignored the message. I unzipped the file and scan all the files again to find out which file was the culprit. I found a PHP file in an image directory causing the problem. The anti-malware software wouldn’t let me copy it so that I can study the code. Eventually I had to let go. Then I tried to use CPanel file manager to download the offending file directly from the web server. The local anti-malware software also intercepted again. Eventually I renamed the file and used an FTP program to download it. When I did the anti-malware scan the offending file was found again and was removed.
I deleted the offending PHP file and zip the whole web site again. When I downloaded, again the local anti-malware program found the zipped file infected with the same trojans plus one more which is Hiebot.B. It looks as if the trojans re-generated themselves and more. Perhaps the web site is already remotely controlled by hacker.
I looked at the visitors’ logs. I found quite a lot didn’t have referring URLs which concerns me. I checked the location of the IP address. Some were from googlebot.com. Most were not. The logs only show visitors retrieving files not depositing files. I don’t if I can trace how the file sneaked into the web site. I managed the offending php file by partially disabled my anti-malware software. It refers to a web site “www.rss-tochka.ru//poll/”.