ttmw Posted March 30, 2011 Share Posted March 30, 2011 It's just come to my notice that i've had some kind of hack on my site. I've got a .xcache file in my website.com/images/ file. I know this is a common hack, but i don't know how to sort it. I know i need to sort the underlying security issue, but for starters, i can't even delete the file. It says my access is denied, it keeps saying '550 Could not delete .xcache: Invalid argument' ...how do i delete this, and if anyone knows of the reason or a clue of how this happened or other files i should look for please let em know! :) I'm in the middle of securing the site via a thread on here, but until then and to help me along , please feel free to suggest fixes and anything you think might help Thanks! Link to comment Share on other sites More sharing options...
Guest Posted March 30, 2011 Share Posted March 30, 2011 John, The file can only be deleted using your hosting accounts file manager. The hacker has placed irregular files in the directory that will not allow you to delete it using an FTP client. Files such as .a/m2 can not be deleted normally. Also, with this type of hack, be sure to check your /includes/languages/english/cookie_usage.php file for malicious code. Chris Link to comment Share on other sites More sharing options...
ttmw Posted March 30, 2011 Author Share Posted March 30, 2011 I'm using cpanel (but have control of my WHM also)...i've tried deleting the file using 'File Manager' in cPanel, but unless i'm doing something wrong, it still wont delete and returns when i refresh of return to the directory. Link to comment Share on other sites More sharing options...
Guest Posted March 30, 2011 Share Posted March 30, 2011 John, Ask your hosting provider to remove it for you. In the meantime, rename it if you can and make the permissions Owner read only. Chris Link to comment Share on other sites More sharing options...
ttmw Posted March 30, 2011 Author Share Posted March 30, 2011 I'm on a unmanaged hosting account on a dedicated server currently, so there is no support. Is there no other way to do it via WHM? Link to comment Share on other sites More sharing options...
Xpajun Posted March 30, 2011 Share Posted March 30, 2011 John, have you tried changing file permissions before deleting or can you not do that either? My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
ttmw Posted March 30, 2011 Author Share Posted March 30, 2011 John, have you tried changing file permissions before deleting or can you not do that either? I don't seem to be able to change permissions either no...it's currently stuck at 750 :( Link to comment Share on other sites More sharing options...
Taipo Posted March 30, 2011 Share Posted March 30, 2011 What are the files in the .xcache directory? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ttmw Posted March 30, 2011 Author Share Posted March 30, 2011 What are the files in the .xcache directory? It wont let me access the files, but judging by a quick look around ,its youtube and bogus other websites links in the thousands. Along with a few other sly hacks and such. Nothing too exciting, i just want rid! :( there's other php files there too with similar hidden code :( Link to comment Share on other sites More sharing options...
Taipo Posted March 31, 2011 Share Posted March 31, 2011 If its a stand alone server then something on the server is writing to it perhaps. Have you tried then to turn off apache and then (obviously remoted in via some remote access facility) try deleting or renaming the directory? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
germ Posted March 31, 2011 Share Posted March 31, 2011 Check who is the "owner" of the files. If you aren't the "owner" of the files/folders you probably can't remove them (depends on permissions of the owners). Last hacked shop I was in all the hack files were owned by "root". So it took a little extra to get things back to normal. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.