Shell by oRb?

  • Answered
I backup my site daily and have a copy of the zip sent to DropBox so there's also an off-site copy (a WP plug-in handles it nicely.)

The other day, looking in my DropBox folder, I noticed an odd little file called wasn't in the backup zip, just sitting in the root DropBox folder/directory. In that file was some kind of script which included the line above, 'Shell by oRb'. An online search indicates this is a malicious backdoor script that seemed to be discussed mostly a couple of years ago. It does seem to have related directly to Wordpress and perhaps hacks of the xlmprc.php file, but that's just my take on it.

Examining all my backups, and searching as best I could, I do not find a copy of this file on my WP site or in any of the backup zips. So I have no idea where it came from or how it got into my DropBox folder.
As of now, I can't see how it could have been deposited there from my WP site, since the only connection between the two is the backup zip's that get copied from WP to DropBox daily. That has me wondering about DropBox itself.

My worry is that this somehow was on my WP site and has inserted itself somewhere else and then deleted the x.php file. So it no longer would be in the backups, but I might still be hacked. But, it was not in the zip file sent from my site...only sitting in the root of my DropBox folder, apparently doing nothing.

I'd like to know what anyone else's thoughts are on how the file may have gotten into the DropBox folder? I don't run PHP code on my home computer, but perhaps something nefarious had a way to stick this x.php file in my DropBox folder...for what purpose, I don't know. And, how might I check whether my WP site on InMotion actually has been hacked?

Any ideas will be greatly appreciated.
Hello CPL, We do not know how that may have gotten on your Dropbox. To date, we have had no other reports on inquiries about that file, so that is good news so far. You may want to check your files on the server for the same filename to see if a copy exists here. However, as it is an older script, it has likely been rendered impotent by Wordpress's security updates. Although hacks can be hard to find if they are not doing anything and we do not know what files or scripts to check for, preliminary scanning indicated that the site is fine, except for being a slightly outdated WordPress version. If you see any peculiar behavior, contact our support department and we can track and follow the behavior to see if it is malicious. So far, though, everything looks fine. I hope this answers your question. If you have any more questions or information specific to the issue please leave a comment below so we can further assist you. Best Regards, Scott M