Can't Ninja Firewall Protect From Injection

Hi,

The problem is that it seems hackers already have access to your site (stolen credentials, backdoor etc). You would need to solve this issue first, then clean up the mess and secure the site with the firewall.
-You can check the firewall log for weird activities, use its FileCheck and FileGuard options which may help you to see where the problem comes from.
-Check your HTTP server log, look for suspicious “POST” requests. They are often easy to spot.
-Check for files that were changed since last week or so.
-If you haven’t done so yet, change all your admin passwords (FTP, WordPress, cPanel/Plesk etc).

Thanks for the reply.

I pretty much done all you suggested…..
What’s weird is …. when a php files are injected with hack codes…
The Files “modified date” Do Not Change…
Does it tell you something?

Thanks
Fred

Hi,

There are two timestamps: mtime and ctime:
-mtime is the date that your FTP client, file manager etc will display. It can easily be spoofed, even with a simple PHP script, and is unreliable.
-ctime: it cannot be spoofed. If a file content or permissions or ownership etc are changed, the ctime will be changed as well.

Did you check with FileGuard? It will show both mtime & ctime.
1. create a snapshot
2. when you suspect your files were changed, click “Scan system for file change”.

Hi nintechnet.

Thank very much for your reply and help/support.
I used FileGuard and just created a snapshot.
So will see if I can catch who/where is it?

btw; files were injected – like index.php – the permission were also changed to 777 ……. but none of the time stamp changed (I guess mtime)

So lets hope I catch it.

Thanks Again!
Fred

Hi,

It will detect changed permissions as well.
You could see the differences between the snapshots and the modified files, and with the timestamp you could check in your HTTP logs to see what happened at that time.

Hi nintechnet

Thanks again!