There was one client that keep contact me every few weeks telling me that his website down. After checking, found out there was a missing files, that was deleted. Contact the server hosting support, they told me this might be from hacking and true enough, I found unknown PHP file inside my server with encrypted PHP text that look like this:
Im not sure how the hacker able to put this file into my server but after I Google, I found out Im not the only person having this issue. The hacker inject this script by promoting FREE SCRIPT and thats where we got trapped. With the FREE SCRIPT offered, the start to put another script in .ico file. Who will suspect .ico file? (ico is extension for icon file). I found out that the ICO file is not an image file at all, but there are scripting inside the file that open up my server to other people to delete my file!!! This is serious~~~ very serious in fact.
In my team, there is no one in network security area that makes me hard to understand and overcome this problem. However, I manage to delete all .ico file so that no hole for hacker to hijack my server. This is really serious. Everytime my client ask for system security, I told them, that the server is secured enough, but I dont know how secure enough the server is.
Anyway, the ico file is actually looks like this: (which it should not)
It is actually a PHP script, disguised in ico file. Who can ever expect the ico file is actualy a PHP script that open a path for hacker to come and delete my files?
The hacker later will put an encrypted PHP file to delete other crucial file in my system folder. scary right? yes, very!!! be afraid, be really afraid!
How I did to overcome this?
- look for ico file – delete these file
- look for index.php file, delete unwanted /hijack/ hack lines or if able, delete the whole file
- Wait if the system behave as what we want. If the system still fail, then, might be the script still in your server and will make your system behave weird again
— Adam —