Virus in my downloads folder!

[revolutionstudios]

I have discovered two php files in my Downloads folder.

One is called kopet.php and the other is newmailer.php

 

Looks like som kind of spamming file and perhaps an attempt to hijack and/or dump my database.

 

Does anyone know anything about this stuff?

 

And the best protection against it happening again.

 

Thank you

[Zorro67]

We've moved our downloads folder outside of our webroot.

It means that we have to ftp up new downloads instead of adding them from the backend, but i had been concerned about just what you are talking about.

[revolutionstudios]

Yes well I had done that and re named my Admin Folder also, but I think perhaps my permissions are not set correctly or something, this is very scary, imagine the possibilities.

 

The code even looks evil.

[minadreapta]

move your download, attachments, templates_c directories outside of public_html

[revolutionstudios]

Done that, my bandwidth has gone through the roof I cant find whats going on? yikes help

[bear]

Yes well I had done that and re named my Admin Folder also

Then they couldn't run it from the web.

The code even looks evil.

How does code "look evil"? PM me some of it?

[sparky]

How does code "look evil"? PM me some of it?

I had one (somehow uploaded to a users site once) that would make your hair stand on end.

Have PM'ed it to you... be careful with it!!

[atDev]

Another option would be to install suPHP on the server, otherwise move out of root like others have mentioned.

[bear]

Ugh, shell scripts. Thanks for the PMs guys, I've seen c99 before, but that other one is new to me. In the end about the same, and definitely evil if allowed to run.

[revolutionstudios]

Nice timing to find it anyway I have just moved to a new provider tonight and they are already ten times better, moved my entire account over for free.

 

life is good today so I bought myself a new iPhone haha yeah I know I know...

 

Thanks bear and all.

[hiddenko]

I have disabled execute .php/cgi/pl scripts in downloads folders by adding in .htaccess:

 

RemoveHandler .php .php3 .php4 .php5 .php6 .pl .cgi

AddType application/x-httpd-php-source .php .phtml .php3 .php4 .php5 .phps .pl .cgi

 

if any php shell will be uploaded and someone will try to run in from web, he will see just source code of this php file.

 

i've put this .htaccess in any '777' folder.

[ChrisGooding]

Excellent advice hiddenko

 

Maybe this should be added to the wikki as this should be a must being as we all have a number of folders that will need the dreaded '777' permissions, lol.

[revolutionstudios]

Hidenko , So could you elaborate a little, you put the actual .htaccess file in the actual directories,

 

and it looks exactly like what as a complete file? I get stuck with the syntax of .htaccess all the time.

 

Thanks a lot.

 

Dan

[hiddenko]

Sorry guys, i did mistake in my last reply.

Here is my actual .htaccess

<FilesMatch "\.(inc|php|php3|php4|php5|php6|phtml|phps)$">
   RemoveHandler application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phtml
   AddHandler application/x-httpd-php-source .inc .php .php3 .php4 .php5 .php6 .phtml .phps
</FilesMatch>

RemoveType php
Options -ExecCGI -Indexes

 

revolutionstudios, if you try to open any php file from browser it will not run by apache (mod_php), instead you will see just its content like in notepad. Just try and you will see.

 

ps. don't put this code in whmcs root folder

Edited May 19, 2009 by hiddenko

[revolutionstudios]

Great advice, much appreciated

[MACscr]

Just a note, 777 is not evil in itself and its fine as long as their are not other users on the server. You obviously should never be running a billing system in a shared hosting environment anyway.