Strange files appear in /home/admin

Y

Yasham

Verified User
Joined
Feb 3, 2018
Messages
33
Hello,
Our website faced malware and we had to clear it "WordPress". But we had noticed strange php files inside "/home/admin" as We know even if our wordpress is hacked we should not be able to create files inside the top level folder "/home/admin".
Does this belong to directadmin? Or we should re search inside our WP website?
 

Attachments

  • 11.jpeg
    11.jpeg
    134.6 KB · Views: 90
  • 22.jpeg
    22.jpeg
    147 KB · Views: 97
if website not restricted by open_basedir - scripts can walk through all dirs owned by same user.
better to keep websites in separate accounts and not in admin account. I have clients that has each website in separate account - when some hacked - it's easy to clean one, and find in logs POST requests to compromised pugin, than we can replace this plugin, and websites works few more years.
 
- I have only 1 website on my server.
I had solved it by this steps:
1- I cleared my website sql for old revisions
2- I checked my WP theme 404.php I see it is empty and malware is using it to write PHP files. Just restored it to default and it's done.
My log file data:
-------
66.249.75.122 - - [21/Nov/2022:16:33:00 +0100] "GET /realmadrid2022.football/realmadrid2022.football/vn2022-11-099j.html?vietnam/2022-11-0978163.html HTTP/1.0" 404 965 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.110 - - [21/Nov/2022:16:33:01 +0100] "GET /realmadrid2022.football/realmadrid2022.football/vn2022-11-09686oq.html?vn/2022-11-09943039.html HTTP/1.0" 404 965 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.104 - - [21/Nov/2022:16:33:01 +0100] "GET /realmadrid2022.football/realmadrid2022.football/vn2022-11-092414c.html?vn/2022-11-09378547.html HTTP/1.0" 404 965 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.116 - - [21/Nov/2022:16:33:01 +0100] "GET /realmadrid2022.football/realmadrid2022.football/vn2022-11-095687fsixs.html?vietnam/2022-11-09459600.html HTTP/1.0" 404 965 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.110 - - [21/Nov/2022:16:33:01 +0100] "GET /fr/realmadrid2022.football/vn2022-11-0389759yob.html?vietnam/2022-11-03827422.html HTTP/1.0" 404 965 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.114 - - [21/Nov/2022:16:33:01 +0100] "GET /realmadrid2022.football/realmadrid2022.football/realmadrid2022.football/vn2022-11-096649d.html HTTP/1.0" 404 995 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.110 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
---------
 
You must log in or register to reply here.
Back
Top