Got hacked by Russians. New files in qa-include, qa-plugin and theme folder discovered

Tue, 30 Jul 2013 05:38:16 +0000

File 1 discovered: stats.php

in folder /qa-include/stats.php

File 2 discovered: zp.php

in folder: /qa-plugin/q2a-edit-history/zp.php

in folder: /qa-theme/mobiles/zp.php

File 3 discovered: apps/facebook/class.php

(it is a folder holding only an index.html, nothing else, so the hacker must have used a "filemanger" to find it)

I uploaded all files to the github repository: https://github.com/echteinfachtv/q2a-various

File zp.php states "c99shell.php v.1.0 beta (îò 16.02.2005)

CCTeaM.

WEB: ccteam.ru

© Captain Crunch Security TeaM

Please help.

@Scott: Could it be that they came throught the q2a edit plugin?

@gidgreen: How could they write to the theme folder? Seeing the logs it seems that they came via qa-include/stats.php ! But they did not put the stats.php by ftp. Seems that class.php is a filemanger, but could not find a trace yet how they put this file. Any tip?

---

I have not found any FTP access, so they must have been using a script. This is what I found in the server logs from 2013-07-19 (IP 128.72.113.203 from Moscow, Russia): https://github.com/echteinfachtv/q2a-various/blob/master/2013-07-19-log.txt

What could that mean? What is the purpose of this attack?

PLEASE CHECK your own server files!

Question2Answer Q&A - Recent questions tagged zp

Got hacked by Russians. New files in qa-include, qa-plugin and theme folder discovered