0

Our web server was compromised about a year ago and we've finally had time to fix most of the issues that resulted in this. The only issue remaining is that multiple filenames were duplicated and modified.

Here's an example, also note that this only happened in our /var/www/ folder where all of our site .php files are.

Adapter13860111d520376a.php.
Adapter13860117d52173717.php
Adapter13860117d52383717.php
Adapter13860117d52493717.php5
Adapter.php

Where Adapter is the original file.

While the original files don't seem touched (we've checked multiple in the folders that this were happening at) the duplicated files were, where the only contents in these files is this:

<?php
eval("echo base64_encode('sitefolder');");

This happens in about of dozen .php files in our var/www/site folder.

So my question is, how can we removed all files that matches these filenames or based on the contents of these files?

Thanks.

kinx
  • 111
  • 3
    While not a direct answer to your question, after a server is compromised, the usual advice is not to fix issues but instead to wipe it clean and restore from a backup made prior to the compromise. – John1024 Mar 07 '18 at 21:13
  • What else do I need to improve my question? I got downvoted. – kinx Mar 07 '18 at 21:13
  • @John1024 I know this, and doing this way isn't a responsible way, but we did not have backups at the time sadly, and we have no way to restore. – kinx Mar 07 '18 at 21:15
  • I'm not the downvoter but I see that you also have a close vote as off-topic, not about Ubuntu. That might also be the reason for the downvote. Otherwise, your question looks well written to me. If I had the time, I'd write an answer suggesting that you run one of the many duplicate-detection scripts and use them to identify the files that you need to delete. – John1024 Mar 07 '18 at 21:16
  • This is about Ubuntu Server and using bash to delete multiple files, I'm not sure how it doesn't relate. – kinx Mar 07 '18 at 21:56

0 Answers0