For the last year or so, I have a site that sends me an email listing all the new and modified files on the server.

This morning, these entries caught my eye:

/var/www/html/
/var/www/html/c99.php

The c99 file was not supposed to be on the server.

Listing the /var/www/html directory, I found:

-rw-r–r– 1 nobody nobody 7293 Aug 1 04:58 (at sign).php
-rw-r–r– 1 nobody nobody 162032 Jul 31 05:57 c99.php
-rw-r–r– 1 nobody nobody 0 May 23 01:36 index.html
-rw-r–r– 1 nobody nobody 44283 May 23 01:36 Dont.Touch.php

I went back in my email Inbox, and found that the May 23 email was never received - cron had stopped on the server, and a ticket was sent to restart it.

The hosting company recommended I update some file and directory permissions, which I did, with the following commands:

find -type f | xargs chmod 644
find -type d | xargs chmod 755

These set permissions for a files to 644, and all directories to 755.

Tarred up the files and sent them to the hosting company, along with some notes.

On the bright side - nothing was lost, and the cleanup was pretty straightforward.

The error log showed execution attempts, which failed, and that IP address has been blocked.

Hack was not on this server.