Fli
08-14-2014, 11:40 AM
If You witnessed maliciou script like systemspage.php
in my case it was in these wordpress directories:
wp-includes/js/tinymce/plugins/wplink/wp-content/plugins/counterize/ip_files/flags/
wp-includes/js/tinymce/plugins/directionality/
wp-content/themes/BlueOne/js/carousel/
wp-includes/js/tinymce/plugins/paste/
wp-content/plugins/akismet/_inc/img/
wp-includes/js/tinymce/plugins/wpfullscreen/
wp-content/plugins/terms-of-use-2/classes/models/
FIX
you can try to find this fileneme on your whole hosting account, remove it, setup cronjob to remove it (http://internetlifeforum.com/linux-forums/2217-linux-find-files-modiffied-certain-date-day-timeframe/), analyse file contents & setup removing script, ban IP which executed / run this script (not effective, in my case many IPs)..
you can also add .htaccess file to some folders of your website (folder in which systemspage.php appeared or some parrent folders). The .htaccess content can be something like this:
# disallow executing .php files
<Files *.php>
deny from all
</Files>
(more about above code: http://internetlifeforum.com/php-mysql-forum/2066-how-prevent-execution-injection-malicious-scripts-website/ )
test that your site is working after added above htaccess..!
- update your content management system (like wordpress) and their plugins
if theme was infected, try to use different theme and delete old one (backup before) .. etc.
in my case it was in these wordpress directories:
wp-includes/js/tinymce/plugins/wplink/wp-content/plugins/counterize/ip_files/flags/
wp-includes/js/tinymce/plugins/directionality/
wp-content/themes/BlueOne/js/carousel/
wp-includes/js/tinymce/plugins/paste/
wp-content/plugins/akismet/_inc/img/
wp-includes/js/tinymce/plugins/wpfullscreen/
wp-content/plugins/terms-of-use-2/classes/models/
FIX
you can try to find this fileneme on your whole hosting account, remove it, setup cronjob to remove it (http://internetlifeforum.com/linux-forums/2217-linux-find-files-modiffied-certain-date-day-timeframe/), analyse file contents & setup removing script, ban IP which executed / run this script (not effective, in my case many IPs)..
you can also add .htaccess file to some folders of your website (folder in which systemspage.php appeared or some parrent folders). The .htaccess content can be something like this:
# disallow executing .php files
<Files *.php>
deny from all
</Files>
(more about above code: http://internetlifeforum.com/php-mysql-forum/2066-how-prevent-execution-injection-malicious-scripts-website/ )
test that your site is working after added above htaccess..!
- update your content management system (like wordpress) and their plugins
if theme was infected, try to use different theme and delete old one (backup before) .. etc.