Hi, One of my vbulletin sites notified me today of a file in my pub html that should not be there. it was an htm file pointing to an online pharmacy. I of course did not put this there. So far nothing else has happened to the site. Site is running normally. I have the host doing a maldet scan and waiting for them to get back to me. Is it possible this is something minor that can be squashed or is my whole world about to come crashing down over this? I can't help but think if I was severely compromised that my site would be defaced by now and who knows what else. A lot of the finer points of security are over my head which is why I have a managed server. Hopefully they can give me some good info and direction but I also appreciate the thoughts here at digitalpoint.
ok well after a lot of looking that single file was the only one added to the server as far as I can tell. I was able to see my last rsync and rsync log had no other files update off site other than that one along with typical updates. Host says only my ip has accessed ssh or ftp last few days, no system files seem to have been touched, logs are fine etc. Maldat scan found no hits. I removed two domains off my server running lesser known php/mysql scripts. I updated any vbulletin addons I could find. I'm not sure whatelse I can do. Everything has been running fine so i guess I just play it by ear.
It's a dedicated server with 2 forums running on it, just 2 domains. I've changed all passwords, set the server to allow ftp & ssh only from my ip address. I have also spent 3 days clearing off old plugins and scripts that accumulated over the last 10yrs years (which I am ashamed to say is A LOT of crud). I've updated several plugins such as tapatalk and vbseo. The forum is already up to date. You know how it is, just keeps getting put on the back burner because you are too busy running things and trying to stay afloat. Since the incident nothing else has "happened", it was just the one file that appeared in public_html. My other forum site is pretty standard and up to date and runs under a different user. Since the rogue file that appeared was owned by my primary user account for that site seems to be some sort of breach on that particular account. I have thoroughly cleaned out public_html and /forums now continuing my clean through includes folder etc as well as manually deleting any old forum plugins. I do keep a full off-site rsync backup at home with database backups so if something major does go down I can rebuild fresh. At this point I am kind of hoping it was a one off and a cleanout, new password, etc will be fine. I simply don't have the time and resources to nuke my server and rebuild everything from scratch.
The main thing is finding the source of the file. Compare the timestamps and check multiple places including, website access logs, bash history files, ftp transfer logs, and also any control panel access logs such as cPanel. If you utilize all of these logs you should be able to find what if anything was compromised to find the source of this file.