Shell by oRb?
I backup my site daily and have a copy of the zip sent to DropBox so there's also an off-site copy (a WP plug-in handles it nicely.)
The other day, looking in my DropBox folder, I noticed an odd little file called x.php...it wasn't in the backup zip, just sitting in the root DropBox folder/directory. In that file was some kind of script which included the line above, 'Shell by oRb'. An online search indicates this is a malicious backdoor script that seemed to be discussed mostly a couple of years ago. It does seem to have related directly to Wordpress and perhaps hacks of the xlmprc.php file, but that's just my take on it.
Examining all my backups, and searching as best I could, I do not find a copy of this file on my WP site or in any of the backup zips. So I have no idea where it came from or how it got into my DropBox folder.
As of now, I can't see how it could have been deposited there from my WP site, since the only connection between the two is the backup zip's that get copied from WP to DropBox daily. That has me wondering about DropBox itself.
My worry is that this somehow was on my WP site and has inserted itself somewhere else and then deleted the x.php file. So it no longer would be in the backups, but I might still be hacked. But, it was not in the zip file sent from my site...only sitting in the root of my DropBox folder, apparently doing nothing.
I'd like to know what anyone else's thoughts are on how the file may have gotten into the DropBox folder? I don't run PHP code on my home computer, but perhaps something nefarious had a way to stick this x.php file in my DropBox folder...for what purpose, I don't know. And, how might I check whether my WP site on InMotion actually has been hacked?
Any ideas will be greatly appreciated.
-C
The other day, looking in my DropBox folder, I noticed an odd little file called x.php...it wasn't in the backup zip, just sitting in the root DropBox folder/directory. In that file was some kind of script which included the line above, 'Shell by oRb'. An online search indicates this is a malicious backdoor script that seemed to be discussed mostly a couple of years ago. It does seem to have related directly to Wordpress and perhaps hacks of the xlmprc.php file, but that's just my take on it.
Examining all my backups, and searching as best I could, I do not find a copy of this file on my WP site or in any of the backup zips. So I have no idea where it came from or how it got into my DropBox folder.
As of now, I can't see how it could have been deposited there from my WP site, since the only connection between the two is the backup zip's that get copied from WP to DropBox daily. That has me wondering about DropBox itself.
My worry is that this somehow was on my WP site and has inserted itself somewhere else and then deleted the x.php file. So it no longer would be in the backups, but I might still be hacked. But, it was not in the zip file sent from my site...only sitting in the root of my DropBox folder, apparently doing nothing.
I'd like to know what anyone else's thoughts are on how the file may have gotten into the DropBox folder? I don't run PHP code on my home computer, but perhaps something nefarious had a way to stick this x.php file in my DropBox folder...for what purpose, I don't know. And, how might I check whether my WP site on InMotion actually has been hacked?
Any ideas will be greatly appreciated.
-C
