Hi Guys,
After being told by Google that our site had been hacked and was presenting spam I had a quick look. All pages looked fine and a thorough scan of the files using Google's own tools by myself, and a complete scan by Total Server Solutions, revealed nothing. But then I found a load of xml files being created in realtime, in a folder 'userfiles', containing Russian ads for flights.
Checking the x-errors-files-yymmdd.php contained the following:
Quote:
[0ct-2015 09:12:21] FILES message:
Logged as:
Uploaded files:
revslider.zip (size: 23752 byte(s), type: application/zip)
Request URI: /cdseopro.php
-------------------------------------------------
[0ct-2015 09:12:30] FILES message:
Logged as:
Uploaded files:
showbiz.zip (size: 23741 byte(s), type: application/zip)
Request URI: /cdseopro.php
-------------------------------------------------
[0ct-2015 09:12:40] FILES message:
Logged as:
Uploaded files:
revolution-slider.zip (size: 23812 byte(s), type: application/zip)
Request URI: /cdseopro.php
-------------------------------------------------
[0ct-2015 12:29:18] FILES message:
Logged as:
Uploaded files:
revslider.zip (size: 828 byte(s), type: application/zip)
Request URI: /cdseopro.php
-------------------------------------------------
|
Is this the smoking gun? Is someone using cdseopro.php to gain access to my server?
Any help will be appreciated.