On Monday, 14 April 2014 at 03:13:31 UTC, Vladimir Panteleev
wrote:
I think the question should be asked, "How did that file got
there?"
Was there a security hole in the blog software?
Was the password guessed, sniffed or stolen?
(There exists Windows malware that steals saved FTP/SCP
passwords...)
Until the security hole is closed for good, the file may
reappear again.
On shared hosting, situations like this (in my experience) follow
a check list. You remove any infected files and malware from your
directories, update the passwords, reinstall or update the
software and, if the problem persists, tech support will dig into
it to find the holes.
In seven years of running the site, I had previously only had one
script injection problem which came down to a bug in Wordpress
and was fixed in the next update. Never had a malware problem
before, but given that these guys instructed me to delete it ( a
no-brainer) or risk suspension of my account, I would not expect
them to charge me $40 when it proves impossible for me to remove.
I would suggest looking at the file's modification time, and
checking the HTTP / FTP access logs for suspicious activity
around that time.
One can wish. The file time is Jan 1, 1970 8:59. It's zero bytes
and has full permissions. Its name is a jumbled mess (blocks and
symbols). The only clue I had was the modification times of the
mysterious php files (all of which also showed up as 0 bytes) and
the infected html files, but I don't know if they're related to
the malware or something completely different.
