RootKit.HiddenDir

Reports about issues that you encounter in Suffusion. This forum is closed with effect from February 2019. Please post future requests on https://github.com/sayontan/suffusion.
Forum rules
This forum is being officially closed with effect from 3rd February 2019. Future support requests can be posted on the GitHub page at https://github.com/sayontan/suffusion/issues.
Locked
lajk
Posts: 10
Joined: 21 Apr 2014, 05:17
Contact:

RootKit.HiddenDir

Post by lajk » 13 Mar 2015, 11:26

Hello everybody,

I have recently downloaded web page for backup,
And found actually my antivirus something strange... a lot of threads in suffusion directory.
I'm using three instances of wordpress for multilanguage and the problem was reported just in one. (actually this directory is not used, some data when the page remanufactured)
Threads: Rootkit.Hiddenfile
And it looks like it is in the Suffusion directory. I'm attaching screen shot
I'm not sure what is it and how it could be infected.
Last edited by lajk on 13 Mar 2015, 11:38, edited 2 times in total.

lajk
Posts: 10
Joined: 21 Apr 2014, 05:17
Contact:

Re: RootKit.HiddenDir

Post by lajk » 13 Mar 2015, 11:32

here is attachement
Attachments
virus alert1.jpg
virus alert1.jpg (234.83 KiB) Viewed 8388 times

Colin
Posts: 5066
Joined: 27 Oct 2009, 10:46

Re: RootKit.HiddenDir

Post by Colin » 13 Mar 2015, 13:03

What are the individual file names? The path isn't really relevant.

lajk
Posts: 10
Joined: 21 Apr 2014, 05:17
Contact:

Re: RootKit.HiddenDir

Post by lajk » 13 Mar 2015, 14:59


drake
Posts: 6223
Joined: 26 Jul 2011, 07:56
Location: Constanta, Romania
Contact:

Re: RootKit.HiddenDir

Post by drake » 13 Mar 2015, 17:37

On linux is not really important how the files are named (their extension), if you rename a php file as jpg, will not see an image, will execute the php script. The extension is important mostly for users, to organize their files in some way, the system look in the file and execute whatever is there.

Now, rootkits was created many years ago for linux systems in order to protect the system against unauthorized accesses. A rootkit will hide specified files for everyone, but not for authorized users. It is much more than a firewall, it hide completely the files, for others those files simply not exists on the server, and because of that cannot be accessed in anyway.

Of course, in wrong hands, a rootkit can become a powerful virus... By simply hiding some files for legitimate users, the system can be compromised and completely screwed. Unfortunately, an application started with good intentions on linux is used on windows only in the bad way.

This is the reason for what your files stayed without problems on the server (linux didn't saw them as treats), but when was copied on windows, the antivirus reacted immediately.

Now, being under a back-up directory, probably they are legitimate files, hidden by the plugin which you've used for back-up for not be accessed from outside.

Better is to ask your plugin author if he used this technology for protecting the files, or the rootkit act with bad intention.

Locked