Files disappearing

6 posts by 3 authors in: Forums > CMS Builder
Last Post: January 5, 2018   (RSS)

By mizrahi - January 4, 2018

I have a site hosted at godaddy that I hadn't logged into in a while. When I did I discovered some rogue hacking files, which I have deleted. But now I'm having issues logging into the CMS. At first, it was an issues with the sessions directory, which I fixed. But now I'm having an issue with the /lib/login_functions.php file being missing. I uploaded a brand new copy of the CMS, which includes this file, but after upload the file immediately disappears. I have also found that this happens with the exploit scanner file (xs.php). Anyone else ever experienced this? 

By Steve99 - January 4, 2018

I've experienced the exploit scanner file (xs.php) being removed from the server immediately after uploading. It was our hosts security protocols screening the uploaded file which deemed it a security issue and immediately removed the file. I'm willing to bet that's the same case with your host.

If that login function file is being removed from the server immediately after upload, then it's a possibility that file you have contains malicious code and is being removed by your hosts ftp security protocols. (as in your backup may contain malicious code). You could use a program like WinMerge to compare that file with a fresh version from the downloaded cmsb zip to check for differences.

Site hack cleanup can be a tedious task... there are also services such as Securi that you can contract to help you. Best of luck to you.

By mizrahi - January 4, 2018

that's what I am thinking is happening as well. The problem is that I'm not uploading files from backup, I'm using the original source files from the interactive tools install package. The one catch could be that I'm trying to install from v2.65. I am going to try to upgrade to v3.07 to see if helps.

By mizrahi - January 4, 2018

Upgrading to v3.07 resolved the issue. I am assuming there is some legacy code in v2.65 that server didn't like/trust. 

By Dave - January 5, 2018

Hi mizrahi,

From time to time it has happened that we discover that a specific host has a firewall or anti-virus app that falsely identifies some source code as malicious and doesn't allow it to be uploaded.  In those cases, we modify the code if it's easy to do. 

An example might be some code such as: "SELECT * FROM tablename".  If the host had an issue with that we might change it to something like "SEL" . "ECT * FROM tablename" to bypass the overzealous security filters.

So it could be that.  But in any case, glad it's working now and let us know if you run into any other issues.

Dave Edis - Senior Developer

By mizrahi - January 5, 2018

It seems godaddy recently did a forced php change on lots of hosting packages, because all of the sites I had on their hosting suddenly stopped allowing me to login. Fortunately I know how to get around it now. Thanks!