by NiallR
5 replies
Howdy folks,

Recently I started finding a file called p.php in the root folder of one of my bigger earning websites. All of a sudden my site seemed to be providing links out to sites that were very adult in nature (some were beyond weird).

At the time I put the problem down to an RSS Php script I'd been using and that there was a security hole in it because every time I deleted the p.php file it would reappear within 24 hours.

So I changed the passwords on my blog, hosting account and any other login related to that site and completely removed the RSS script too.

Now I've had peace and quiet for a few months and 3 days ago...bang...p.php appearing again in the root of the site.

Please can somebody shed some light on this? Whenever this happens my traffic/impressions/earnings are affected almost immediately. No idea why though.

Thanks in advance.

Niall
#pphp
  • Profile picture of the author Geejayz
    What code is contained within the p.php file when you download and examine it from the server.

    What happens if you browse to the p.php from internet explorer? (Only do this is you have firewall and anti-v software though)

    It could be that the p.php is created from another script like you mention. Because it is just p.php it is hard to search for a solution online.
    {{ DiscussionBoard.errors[773716].message }}
  • Profile picture of the author hiphil
    I have had similar problems with hackers placing rogue php scrips on my site.

    I have solved the problem by creating a php script that lists any files that have been added to my site since I last logged on. I can then delete any malicious scripts.

    You can also replace the rogue script with another script with the same name that emails you the hacker's IP number etc. when they log onto the script. PM me if you would like a copy.
    Signature

    Create your first website by 3:45 this afternoon - using Free software. (Free Download).
    www.hiphil.net

    {{ DiscussionBoard.errors[773939].message }}
  • Profile picture of the author esoomllub
    If you are continuously finding this type of file on your file system, you should remove it for sure... but you need to find out more about it first. What is in it (is it calling home when loaded, is it allowing hackers a back door)? I'd personally wanat to find out how it is getting there (what script are you running that might have a security hole)? It is just as important to close the hole... or files will continue to show up unwanted... some which may be far worse then others.
    Signature
    {{ DiscussionBoard.errors[774596].message }}
    • Profile picture of the author NiallR
      Hey guys,

      It's a weird one. I thought it was using an unsecure php script as a backdoor so I removed that script completely. That seemed to work.

      All of a sudden it just popped back in.

      I created a really strong blog password, deleted the file and now 2 days later no sign of it.

      I will keep you posted and grab a copy next time (if) it appears.

      Thanks for all the help and advice - really appreciate it!


      Niall
      {{ DiscussionBoard.errors[778330].message }}
  • Profile picture of the author esoomllub
    Niall... speaking of strong blog password. Do you happen to access your blog over a wifi connection? If so, are you using a plug-in to encrypt your login or using SSL?
    Signature
    {{ DiscussionBoard.errors[778522].message }}

Trending Topics