0

I keep getting a file called "wp-sil.php" uploaded to my one specific folder. When i copy the file to my desktop so I can examine it, it removes itself.

When I open the url sting live on my website, I see the entire folder content and options to delete/edit/modify.

At the bottom there is a signature: https://www.google.ca/search?q=B+Ge+Team+File+Manager+Version+1.0%2C+Coded+By+Little+Wei&rlz=1C1CHBF_enCA711CA711&oq=B+Ge+Team+File+Manager+Version+1.0%2C+Coded+By+Little+Wei&aqs=chrome..69i57j69i64l3.330j0j4&sourceid=chrome&ie=UTF-8

Of course I deleted the file from each folder that I found it in but I am worried it will come back again.

I have changed every password I could think of, changed all ftp access and only have a few people accessing the ftp (to a specific folder), added godaddy's malware protection to scan everything and it came back with nothing. I blocked a bunch of different country's IP addresses.

I back up the files weekly so I am not worried losing anything but it will cause an slight inconvenience if the current live files are effected.

Is there a way to block a filename from being uploaded or block unauthorized uploads in general? Or at least check who is behind this?

BragDeal
  • 115

1 Answers1

3

You are probably using a vulnerable application (maybe an old version of Wordpress, old themes, outdated plugins..., just guessing) and someone is using such a vulnerability to upload promiscuous files and abuse your server / services. You should update everything.

Or you may have a vulnerable service (do you have root access to your server? Do you update your system regularly?)

Or you may have a compromised account because of weak passwords or stolen credentials.

Restoring a backup won't be enough.

You'll have to check at least this three aspects before you'll have a chance that you can get rid of this.

Also you did provide very few details in order to receive more than a general help like this.

Marco
  • 1,864