So I have a client's site that has been hacked in the index.php file. The hack contains variables like this:

$O0O_O00O__=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");

I've done some ssh stuff and found some shell exploits that I removed. But, when I delete the code from the index.php and save it back to the server, and I refresh the ftp to see the file size, within a second, the file is right back to the hack being in there.

What am I missing? What would re/create the index.php file like this?

Any help is appreciated.

2 Answers

0
user3602993 On

You can at a running pid. This issue might occur if there is a task that recreates the file. Or maybe the crontab has been edited. Or the file is a symlink.

0
MrTechie On

So I am going to leave this here for others to read in case of someone has trouble with this same thing.

When the index.php file is written to with the hack the permissions are adjusted to the file. Usually it's set to 444.

The way I was able to fix it was, I logged in via SSH, and then changed the owner:group to be the account that was logged in via ftp using this command

sudo chown owner:group index.php

Then from there, I set the file permissions to be 644 doing this

sudo chmod 644 index.php

From there I was able to edit the file in ftp and via notepad++ and save it back just fine, and it wasn't written over again.

Then I just reversed the process and set the permissions of the file back to 444.

Hope this helps someone else later on.