I’m going to start from the beginning. I recently had two of my sites hacked, when the first one was hacked 6 months ago I basically uploaded new files and after this I made a complete back-up thinking that all files were ok, since everything was working fine. Three days ago the other one was hacked, but this time I only replaced the index page with my back-up file.
Reading different threads in this forum I saw that somebody suggested to scan your computer even Macs which is what I’m running so, last night I decided to install Norton and scanned my computer and when it was done it found the back-up file I made after my first site was hacked and apparently inside this back-up file there is a file called “PHP.RSTBackdoor” which apparently is the one that contains the malicious code, I went and look for this file in my server and I couldn’t find it.
Is there a way to search for this file in my server?
Is there some sort of software like Norton to scan your server? Or how about the method I just described - create a complete site back-up and then scan it with Norton in your computer is this a valid option?
As Mittineague has already stated, everything in your public folder and it’s sibling folders. Basically everything you have access to with FTP. Keep in mind that when a hacker gets control of your website, they have at least the same access as you do. So whatever you have access to on a shared host, is what you want to download to your PC.
If you’re on a shared host you should be able to download everything in your domain folder. The “public” folder and its “sibling” folders too. You won’t be able to go above your domain folder - i.e. access to other sites and host-only folders - thats where the importance of reporting the incident to your host comes in.
Btw, if you are on a shared host with cpanel, you may have inbuilt antivirus facility too(my fav clamav). Scan your uploaded contents with antivirus online itself. Generally it is a better idea to delete the infected files there and reupload the the clean deleted contents.
Also boot your pc with a clean bootable disk and scan your pc with an antivirus(like avgfree) and try a spyware scan too(use spybot or superantispyware - all free).
I find that Sophos is better at detecting some of the backdoor files than most other AV programs.
You can download your entire site - everything to your local PC. Then use Sophos, they have a 30 day trial, and scan all of your files. This won’t find everything but it will find more than many of the other AVs.
Typically the backdoors will do something like:
isset($_POST[‘somevariable’] or if(!empty($_POST[‘somevariable’])
then either @eval(‘somevariable’) or base64_decode(‘somevariable’)
These are just basic examples of what to look for. We’ve tested other backdoor “finders”, some with over 4400 signatures, and rarely do they find more than one or two backdoors on a website that we’ve found over 20 on. Not promoting, just stating that these backdoors are difficult to find.
I forgot, ClamAV is also good at detecting many backdoors. I haven’t used the Windows version but the Linux version is great. I believe they both use the same signatures so the Windows version should be able to detect any backdoor that the Linux version does.
the PHP.RSTBackdoor is just the threat name, not the file name.
…and the r57shell.php is an advanced shellscript. it contains a dashboard, with among other things a vulnerability scanner, you can set file permissions, it got ftp etc etc… it’s like an advanced toolbox.
someone most likely scanned your site/host and found a vulnerability, and then they exploited it and got the script installed and opened a backdoor… and did whatever else they wanted.
it can be embedded to other legal files or masked as a pic or something else, so make sure to search your files and folders for any suspicious files or code.
looks like when you downloaded your site for a backup, you downloaded it with the script installed - you didn’t clean it before you downloaded it, nor did you do it afterwards - make sure to have a clean backup so you don’t install an infected backup.
too many people makes this mistake - uploading an infected backup and history repeats itself…
apparently inside this back-up file there is a file called “PHP.RSTBackdoor” which apparently is the one that contains the malicious code
That is actually - how virus vendor calls particular virus/malware. It is not an actual filename. Some of your PHP/JS/HTML files contain malicious JavaScript. Namely, from Symantec site: This threat requires the file r57shell.php to run. This file may already be present or may be manually copied to the compromised computer by the attacker.
Is there a way to search for this file in my server?
Is there some sort of software like Norton to scan your server? Or how about the method I just described - create a complete site back-up and then scan it with Norton in your computer is this a valid option?
The usual procedure is to download all files to clean/uninfected PC and to scan them with your favourite virus-scanner.