By

Attack of the default.php files

We’ve been seeing many infected websites that have numerous default.php files “sprinkled” throughout the site.

These files are being used by hackers to infect other websites.

The code inside the default.php files usually starts with:

eval (gzinflate ( base64_decode ("...

The file will usually be either 2,858 or 2,556 in size.

These files are uploaded to the website via FTP.

How do hackers upload files to your site with FTP?

They have stolen your password!

If you have access to your FTP log files, you will see some entries like this:

Sun Jan 13 21:41:48 2013 0 XX.XX.XX.XX 2848 /home/(name of your account)/public_html/default.php b _ i r ftpaccount ftp 1 * c

The ftpaccount shown in the log entry will be the one that has been used by the hackers to upload the default.php files to your site. Whoever is using that account legitimately could be the using the computer with a virus on it that has stolen the passwords.

The default.php files are also used to upload malicious .htaccess files. Those files will have something like this:

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_REFERER} ^http: //[w.]*([^/]+)

RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]

RewriteRule ^.*$ http: //le-guide-thalasso-sainte-maxime. com/wapn.html?h=1415319 [L,R]

We’ve seen various domains inserted into that last line but the format is basically the same: URL/randomname.html?h=(some numbers)

First thing is to change all your passwords: hosting account, FTP, website (WordPress, Joomla or other…). Then DO NOT log back in again until you have scanned all your computers – yes even Macs.

Next, reviewing the log files will show you where on your site the files were uploaded and then you can delete those files. Check your .htaccess files for any code similar to the above. If there was already a .htaccess file in that folder, they have added their malicious redirects. The above lines can simply be removed from your file.

If there wasn’t already a .htaccess file there then the hackers have added one and it can just be deleted.

Again, please run daily virus scans on all computers – daily. When your anti-virus program updates, it typically doesn’t run a full scan. So any updates you received today on your anti-virus program will not detect anything already on your system until you run a full scan. The updates will only protect your computer from the new infections.

With this infection there are typically additional backdoor shell scripts added to the site as well. Those have generally been something using the base64_decode string so you can search your files for that and then further analyze the file to determine if it’s malicious or not.

If you need help cleaning this up, please send me an email at: traef@wewatchyourwebsite.com

Thank you.

If you found this useful, please share it.

6 Responses to Attack of the default.php files

  1. LaPoetUS says:

    Thanks for alerting site owners to this growing issue. However, I wish you would have included how they can find out if they are infected.

    • The only way to find out if your site is infected is to review the files on your site and see if there are any of the default.php files or if there are any redirects like the one listed, in their .htaccess files.

      Or, you site redirects when you go to it.

      Thank you.

  2. We should fix it before it is attacked again. How come and how to solve?

    • You need to make certain that your passwords are strong and follow these guidelines:

      • At least 9 characters
      • Uses a combination of upper and lower case letters
      • Includes numbers
      • Has at least 3 special characters (!@#$%^&*()_+|}{“:?>< ,./';[]\=-)
      • Is unique to you (don’t use the same password on multiple accounts)

      If you’re already infected you need to first change your password to your hosting account and all FTP accounts and any CMS (WordPress, Joomla, etc.) logins – don’t login again until after you’ve run a full virus scan with a strong anti-virus program.

      Don’t give anyone the new password until they’ve run a full virus scan on their computers – yes Macs too!

      Then remove the default.php files and scan for any other files with base64_decode in them and review them carefully to determine if they are actually hacker backdoor shells.

      Last check all your .htaccess files for what we posted – or something similar.

  3. Unas says:

    Hi Thomas,

    Thanks for sharing, I will follow your instruction here to watch ftp or sftp log

  4. “If you’re already infected you need to first change your password to your hosting account and all FTP accounts and any CMS (WordPress, Joomla, etc.) logins – don’t login again until after you’ve run a full virus scan with a strong anti-virus program.”

    I hope you meant from a different PC/Mac as doing it on the infected machine (while connected to the internet) is risky. This is why I have a Dual Boot PC so I can switch to a clean OS and take care of my site(s) quickly.

Leave a Reply

Your email address will not be published. Required fields are marked *