Hacked server placing php mailers. zipped ".razor" and it repropagated

  • Answered
Five days ago, IMH notified me that my system was hacked with multiple php files that looked like they were spam mailers. Most were in Joomla folders, but some were in empty (forwarding) domain folders. Files used various names and copied the date of files already in the folder.
We quarantined them all, but they came back. We then changed all the passwords, upgraded all products to the same Joomla 3.6.2 except for a family tree where we abandoned Joomla and bought TNG. Came back a 3rd time. We reduced active sites to the most critical. Tonight, John, a support guy with IMH who was knowledgeable went through with me on the top level files and found a folder .razor: with the following:


We compressed this folder into a zip file, leaving the folder empty.

Two hours later, the files are there again. Suspicion is that this is part of the hack.

We're looking for the "mother", the one that propagates the many "children" that have code like this:


How can we find out what is the mother hack, and if it is .razor, what is writing it after we zipped it?
Hello, Thank you for your question regarding a hacked website. Since this is just the public forums, I recommend submitting a ticket to Live Support requesting a scan with our internal malware scan tool. It should find the type of hacked code you listed. Also, here is a helpful article on Recovering after a Hack. If you are using a CMS (such as WordPress, Drupal, Joomla, etc.), it may be beneficial to replace the core files. Thank you, John-Paul