Hacked server placing php mailers. zipped ".razor" and it repropagated
Five days ago, IMH notified me that my system was hacked with multiple php files that looked like they were spam mailers. Most were in Joomla folders, but some were in empty (forwarding) domain folders. Files used various names and copied the date of files already in the folder.
We quarantined them all, but they came back. We then changed all the passwords, upgraded all products to the same Joomla 3.6.2 except for a family tree where we abandoned Joomla and bought TNG. Came back a 3rd time. We reduced active sites to the most critical. Tonight, John, a support guy with IMH who was knowledgeable went through with me on the top level files and found a folder .razor: with the following:
razor-agent.log
server.c301.cloudmark.com.conf
server.c302.cloudmark.com.conf
server.c303.cloudmark.com.conf
servers.catalogue.lst
servers.discovery.lst
servers.nomination.lst
We compressed this folder into a zip file, leaving the folder empty.
Two hours later, the files are there again. Suspicion is that this is part of the hack.
We're looking for the "mother", the one that propagates the many "children" that have code like this:
$GLOBA...
How can we find out what is the mother hack, and if it is .razor, what is writing it after we zipped it?
We quarantined them all, but they came back. We then changed all the passwords, upgraded all products to the same Joomla 3.6.2 except for a family tree where we abandoned Joomla and bought TNG. Came back a 3rd time. We reduced active sites to the most critical. Tonight, John, a support guy with IMH who was knowledgeable went through with me on the top level files and found a folder .razor: with the following:
razor-agent.log
server.c301.cloudmark.com.conf
server.c302.cloudmark.com.conf
server.c303.cloudmark.com.conf
servers.catalogue.lst
servers.discovery.lst
servers.nomination.lst
We compressed this folder into a zip file, leaving the folder empty.
Two hours later, the files are there again. Suspicion is that this is part of the hack.
We're looking for the "mother", the one that propagates the many "children" that have code like this:
$GLOBA...
How can we find out what is the mother hack, and if it is .razor, what is writing it after we zipped it?