In the logs of sites I see records create malicious files on the server. I can not understand how to create files with viruses on the server?

Example:

176.32.230.52 - - [17/May/2018:09:36:57 +0300] "POST /js/validation/localization/gizzakij.php HTTP/1.0" 200 265 "https://site.ru/js/validation/localization/gizzakij.php" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"

I understand that you can block through the firewall, but I want to figure out exactly how to get access to create files on the server. Access to the folder 755, change the rights to the folder files, nothing gives. Saves only cementing through chattr.

In the example above, the site is on Bitrix, but there are other CMS Modx, a CI framework. The situation is similar, virus files are created. Aibolit scanning and the Virusdie service do not help. See only already created files.

  • security.stackexchange.com/users/176349 - 0-Level UNIX Monk
  • 2
    There can be absolutely anything, from overt FTP to admin of these sites offended by you - andreymal
  • Answer to answer? I am an admin site, ftp is not open and passwords are changed there. - Maxim Salnikov
  • four
    Maybe you think that there is nothing open? Maybe it is useless to change passwords, because an attacker has long registered a ssh-key for himself or created a separate user for himself? Maybe somewhere on all sites is some necessary, but vulnerable php script? Maybe outdated software on the server? Here, unfortunately, within the framework of ruSO it is difficult to answer something intelligible, a full audit of the server by the relevant specialist looks more reasonable - andreymal

0