File 1 discovered: stats.php
in folder /qa-include/stats.php
File 2 discovered: zp.php
in folder: /qa-plugin/q2a-edit-history/zp.php
in folder: /qa-theme/mobiles/zp.php
File 3 discovered: apps/facebook/class.php
(it is a folder holding only an index.html, nothing else, so the hacker must have used a "filemanger" to find it)
I uploaded all files to the github repository: https://github.com/echteinfachtv/q2a-various
File zp.php states "c99shell.php v.1.0 beta (îò 16.02.2005)
© Captain Crunch Security TeaM
@Scott: Could it be that they came throught the q2a edit plugin?
@gidgreen: How could they write to the theme folder? Seeing the logs it seems that they came via qa-include/stats.php ! But they did not put the stats.php by ftp. Seems that class.php is a filemanger, but could not find a trace yet how they put this file. Any tip?
I have not found any FTP access, so they must have been using a script. This is what I found in the server logs from 2013-07-19 (IP 126.96.36.199 from Moscow, Russia): https://github.com/echteinfachtv/q2a-various/blob/master/2013-07-19-log.txt
What could that mean? What is the purpose of this attack?
PLEASE CHECK your own server files!