Site hacked. 7.1.6 version /

4 files were installed in the template folder. My page is still a 7.1.6 version

.htaccess

black.php

recky.php

metri.php

metri.php was identified as PHP / Bot.S.1

I put the 4 files into an RAR file. Maybe someone wants to take a look at those kind of files. I renamed metri.php so that my virusdetector doesnt delete it automatically

Has anyone experience with this kind of attack?

Any advice?

(Note: Removed the attachment and moved.)

Dolphin 7.1.6 is old and vulnerable to a few security issues, but likely it's from this one: https://www.boonex.com/forums/topic/Dolphin-7-3-3-Manual-Security-Fix.htm

So if the site was never patched, it was only a matter of when the site would be hit. You need to restore from backup or find all modified files and delete/replace them. You should then immediately patch or upgrade to 7.3.3, which has all security fixes included.

Same here. Exact same files and my hosting was shut down. You may have to clean your site or roll it back. We found a ddos script hidden within all the files.

Is there an easy way to update 7.1... to 7.3.3 or do I need to go up to 7.2 first, and so on?

You'll need to upgrade to the next version - so from 7.1.6 to 7.2.0, to 7.2.1, and so on. At least apply the emergency fix I linked to, and that should take care of the urgent issue.

I found 3 more files in the root directory

errors.php

index.inc.php

java.php

And there are likely more - and a bunch of modified core files to include malicious code also. You need to either restore from backup before the infection, or if that can't be done, find all files modified in the last X days and delete or revert them. Otherwise it will be whack-a-mole and frequent issues. Your host might be able to help.

I would also increase security on your server.  Turn off regular ftp; it is a hole that can be exploited.  Use sftp and make sure all your passwords are long and complicated with upper and lower case letters, numerals, and symbols.  Make sure all ports on the server that are not needed are closed.  If you are not running a mail server, close all ports used for email.  If you have not already done so, change all logins and passwords and remember the rule above for passwords.

I looked for "date modified" files. I looked into every folder. I did not find any more recent modified files.

The server only has sftp. Not regular ftp. I also use only chaotic passwords. 

I now applied the hotfix you mentioned. This exploit, what exactly could the attacker do with this exploit?

Or in other words, this added "=" what exactly does this change? 

I am not sure the exploit would allow one to upload and modify files in the root.  Which is why I would look more towards the server.

I looked into the "bash history" there were no unusual typings. Only my own commands.

If another person, would have had direct access to the server, i assume then his commands would have been registered in the bash history.

Is this correct or a false assumption of mine?

Details on the exploit are here: https://www.exploit-db.com/exploits/40631/ and here: https://www.exploit-db.com/exploits/40756/

You can see it bypasses authentication, uploads a script, and from there it's Happy Days.