Hacked

[Qtech]

If you have a backup I suggest comparing the online version with the backup and see if any files are different, If files are showing up on your hosting space you did not put there, they may have even hacked the FTP account (Worth checking).
What code is inside these new files?

I changed all passwords in Sentora.
Changed FTP accounts (I had only 2).

The file that keeps coming back is guy.php.

I don't think I should post it on the net. I could send you a private link via im. It's too bad there isn't a place where you can upload code and company keeps track of all these php code. Then it can be parsed in sentora or something like that.

Not much from google on the file guy.php or 404.guy.php

I checked permissions. 755 on the folder.
I am using it for a non-profit so this is a hard hit.

tia.

---

btw

I paid for Wordfence but the issue is it can't run the scan without this error.

Warning: tempnam(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/sentora/hostdata/account/public_html/doman_org:/var/sentora/temp/) in /var/sentora/hostdata/account/public_html/domain_org/wp-
I have no idea on this.

The free version of wordfense also does the scan and I got the same error.

[TGates]

the open_basedir can be disabled as mentioned in a previous post. That will allow you to run the script. Just remember to enable it again after running it
Yes, please zip up the guy.php and 404.guy.php files and link me to them in a PM. I am curious to see what they do.

As I mentioned, your best bet is to backup your current site and DB and maybe do a fresh install because they obviously have found or added a vulnerability to your WP install.

[Qtech]

the open_basedir can be disabled as mentioned in a previous post. That will allow you to run the script. Just remember to enable it again after running it

Okay I am more confused. Disable or Enable the option. Anyway I tried both. didn't work.

[TGates]

You have to wait at least 5 minutes for the changes to take affect. You can verify the changes by checking the httpd-vhosts.conf for the domain and see if the open_basedir directive is removed from the vhost.

If it is removed but still not working, restart apache and try again.

[Qtech]

You have to wait at least 5 minutes for the changes to take affect. You can verify the changes by checking the httpd-vhosts.conf for the domain and see if the open_basedir directive is removed from the vhost.

If it is removed but still not working, restart apache and try again.

Okay that worked. Any issue in keeping that off for an extended period of time.

[TGates]

open_basedir is what locks the users down to their hosting folders. If disabled, it becomes possible for a user (or hacker) to crass over to other folders on the server. If you trust the code and it is 100% safe, it should not matter how long.

[jonnys]

I found this security article implemented security in .htaccess maybe helpful to someone
https://secure.rivalhost.com/knowledgeba...hacks.html
Don't know if these security filters are already included in sentora

---

[TGates]

Looks like some useful directives in there. Will have to check it out