unknown files: fe2fc, fe2fi, fe2fl etc. in public_html

Submitted by gtjef on Thu, 03/22/2012 - 14:26

Hello, we have some unknown files: fe2fc, fe2fi, fe2fl etc. in public_html. Do these have anything to do with the Virtualmin? We have been hacked with much malicious code inserted into .php files, i have replaced most of these files but, and deleted fe2fc, fe2fi, fe2fl etc., but that come back immediately, this is also occurring in public_html/administrator - can you please offer any guidance? Thank you, Jeff

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Thu, 03/22/2012 - 14:38

Howdy -- no, those files aren't related to Virtualmin.

In fact, Virtualmin doesn't place any files within the public_html folder.

It looks like you're using Joomla there -- chances are that an attacker found a hole in either Joomla, or in one of the plugins you have there.

The first step would be to make sure Joomla is fully up to date, along with all the plugins that are installed.

It's a difficult problem to solve, but what you'd need to do is review your files there for any that were modified recently, and look at them to make sure nothing malicious had been added to it.

You'd also want to make sure your user's password wasn't compromised, which could allow someone to log in via FTP and upload those files.

Submitted by gtjef on Thu, 03/22/2012 - 16:30

Yes thank you, i have figured most of that out, but wanted to be sire it was not a Virtualmin thingy. I have updated to latest 1.5.25 version gone through most of the Joomla site files and found LOTS of funny malicious looking code inside various .php files, I have replaced those files and they seem to be staying clean, but the fe2fc, fe2fi, fe2fl’s keep coming back. Still having some issues with a varity of components and would like to resolve the mystery file question. Any ideas how to track down the source of these files? They reappear immediately after deleting them, could it be in the SQL database somehow? Thanks for any guidance you can share. Jeffrey

Submitted by andreychek on Sun, 03/25/2012 - 13:38

Any ideas how to track down the source of these files? They reappear immediately after deleting them, could it be in the SQL database somehow? Thanks for any guidance you can share. Jeffrey

There's a few things you could check --

  • View your Apache logs at the time those files were created, and see if someone accessed your site at that specific time. That could show if someone is breaking in through a vulnerability in your website.

  • You may also want to review the cron entries for this user.

  • And lastly, you may also want to see what processes are running that are owned by this user.

Submitted by gtjef on Thu, 03/29/2012 - 13:50

Hey thanks, very good info. I'm planning to hire OSE to do an audit and profile, clean the site then install some protection. Thanks again, Jeff.