Which php files can be deleted after hacker attack?

OmarKN · July 27, 2022, 10:12am

We had hackers on the ISP server on our site (exceeded bandwidth) and there is some suspicion that they used/ shall use again some of those files.

Can someone suggest which files are not part of Foundry / and we have Stacks also/ and which look strange please.

For ex. should there be a file such as:

license.php
wp-login.php (we don’t use WordPress)
task.php
/audio/admin.php

Here are the php files for our site with some comments/ content:

public_html/relis/fraga-nu_files/license.php

<?php
error_reporting(0);

public_html/relis/barmhartig_files/themes.php
public_html/relis/fraga-nu.php
public_html/pm/pm-efterfoljare_files/admin.php
public_html/images/themes.php
public_html/audio-video/files/settings.php
public_html/css/load.php
public_html/css/index.php

<?php
error_reporting(0);

public_html/samhallet/varlden/index_files/settings.php
public_html/samhallet/radslan-f-invandring_files/js/admin.php
public_html/samhallet/radslan-f-invandring_files/js/themes.php
public_html/_wareh/admin.php = empty file
public_html/_pdf/admin.php
public_html/andra-sprak/english_files/english_files.php
public_html/lejonet_files/task.php

<?php
function task() {
return 0;
}
task();

public_html/lejonet_files/wp-login.php = empty file
public_html/kurser_files/admin.php
public_html/slm/kh04/license.php
public_html/slm/kh03/license.php
public_html/slm/kh03/index_files/wp-login.php
public_html/rw_common/themes/license.php = empty file
public_html/rw_common/themes/Foundry/js/admin.php
public_html/rw_common/themes/Foundry/js/defense.php
public_html/rw_common/themes/Foundry/js/toggles/app.php
public_html/rw_common/themes/Foundry/js/toggles/library.php
public_html/rw_common/themes/Foundry/js/toggles/wp-login.php
public_html/rw_common/plugins/stacks/cloud.php
public_html/aforismer_files/expect.php
public_html/audio/admin.php
public_html/vigsel-aktenskap_files/themes.php
public_html/errorpage_files/license.php
public_html/page/wp-login.php
public_html/msk/settings.php
public_html/msk/.nyhetsbrev.php
public_html/msk/.kontakt.php
public_html/msk/kontakt.php
public_html/msk/press-meddelande_files/settings.php
public_html/msk/index_files/themes.php
public_html/msk/index_files/settings.php
public_html/msk/index_files/wp-login.php

Fuellemann · July 27, 2022, 10:35am

Hi, if you are only using Foundry and no other services/products on your site then:

a) make a backup of all the files of the directory where your website is located (public_html/)
b) delete all files and folders in this directory (public_html/)
c) republish all files with rapidweaver, so you have only your files in this folder

Next, if your host is using an Apache server, follow guidelines like these to add security via the htaccess file:
https://siwecos.de/wiki/Htaccess/EN

OmarKN · July 27, 2022, 12:08pm

To get this right:
I’m using Stacks4.2, Foundry2.3.8 and a number of stacks and Add-ons, how about those?

/okn

Fuellemann · July 27, 2022, 12:26pm

These will be published again. The question was if you use services like Alloy which need to have specific folders on the server or any applications/services outside the RW and stacks universe…

system · July 28, 2022, 12:27pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.