I discovered that my DreamHost account appears to have been "hacked". What does this PHP code do and what's a good way to get rid of it?
When I was playing around with my websites tonight I noticed tons of PHP files that weren't there before. This link
is an example of one of the files that I found.
In general, it appears that it takes any file matching *.(php|html|phps), renames it to filename<random alpha in A-Za-z>
.php and sticks something similar to the above-linked PHP doc in it.
I notified Dreamhost of the problem, hoping that they could dig through my backups and let me know when these files were created, but I'm not holding my breath.
1. Has anyone seen these before? They're quite hard to search Google for since it's almost completely random data.
2. What does it do? I'm assuming it's some sort of bot net drone code of some sort.
3. It appears to have only created copies of files that are accessible from a Google search. e.g. I have a few "private" web pages that have obscure directory names that only I know. These files were not modified (but are clearly read/writeable with PHP).
4. How do I clean it up nicely? I don't see any modifications to existing files, so I think I can just delete the files that were created. File sizes, names, etc. are all different.
Thanks in advance!
Sorry for the meta-question. I'd be able to narrow it down to one more specific question if I could Google it.