Suspicious File - Interactive Tools or Hacker?

9 posts by 3 authors in: Forums > CMS Builder
Last Post: June 23, 2011   (RSS)

Hi there, just running a security scan on a client site and this came up:

Possible malicious file found (doc.php - Suspicious PHP Code)

in the cms /data directory

It appears to be a File Utility - FileMan WSO 2.3

I don't remember putting this on the site - I had some consulting work done by interactive tools around the time stamp so would this be something interactivetools would have used?

Have attached the php file below.

Many thanks
Jan

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Jason - June 23, 2011

Hi Jan,

We don't have a file called doc.php as part of CMS Builder. The attachment didn't come through, though. Could you try attaching the file again and we can take a look at it for you.

Thanks
Jason.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Suspicious File - Interactive Tools or Hacker?

whoops, here it is...

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Jason - June 23, 2011

Hi,

This doesn't look like anything we've put together. As a precaution, you should do a search through your other .php files (cmsb files included) looking for references to "doc.php". Another option would be to do a backup of your data, and then re-upload CMS Builder to overwrite any references to the file that may have been put into CMS Builder.

Since it looks like your server was probably compromised, you can also contact your hosting provider with this information.

Hope this helps. Please let us know if you need anything else.
---------------------------------------------------
Jason Sauchuk - Project Manager
interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

Re: [Jason] Suspicious File - Interactive Tools or Hacker?

Thanks jason, fyi, here is a screen grab of the interface.
Attachments:

screen.png 92K

Re: [Dave] Suspicious File - Interactive Tools or Hacker?

Hi Dave, thanks for that, will do some more digging. I am surprised as this particular site is a cms builder only site - no wordpress or anything else like that - will double check if there is any other php code used for any special functions.

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

Hi Dave, does cms builder use phpThumb?

Re: [theclicklab] Suspicious File - Interactive Tools or Hacker?

By Dave - June 23, 2011

Hi Jan,

No, that's not part of the software or anything we use.
Dave Edis - Senior Developer
interactivetools.com