iSKORPiTX Footprints … Recovering a iSKORPiTX Hacked Site

Last weekend, one of my friend called me in a hurry, that my intranet official site is being hacked and suspended by the hosting service due to phishing. What to do next … Here is the process, i used to finding the root cause and recover …

Hosting service indicated this in email …

Reported Malicious Content: script s/SIIBIC/index.processa

Other Potential Malware:


Root Cause

in /tmp/x.txt …. hacker left his name as a signal. it was “iskorpitx”. I searched google and found many related links of possible cause …

Site hacked through extcalendar component

Dreamhost e-mailed me earlier today and said that my website was an isolated incident. I think it was a Joomla! (opensource CMS) exploit.

The old version of Joomla (1.5.5) has some serious security issue. Upgrade to Joomla 1.5.6.

My host support got back to me, looks like it was a server wide issue, someone had an old Joomla script on their site that was exploited.

There was an older version of joomla installed on website, so this was most probably the core reason of giving access on /public_html/tmp folder.


I found a useful link showing some recovering tips …

How to find backdoor PHP shell scripts on a server

I went to access_logs to find scripts, but only last 24 hour logs were there … with heavy accessing on mailware code.

I asked hosting service to give me SSH access, and after several tries, i searched for the recently created files on server …

Files created in last 60 days …
find ./ -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt

Files created in last 60 days, with exclude folder option …
find ./ -path ‘./ignore-folder’ -prune -o -type f -ctime -60 -exec ls -lc ‘{}’ \; > ../last-activity.txt

Another use find call to get recent 20 files …

find . -type f -printf ‘%TY-%Tm-%Td %TH:%TM: %Tz %p\n’| sort -n | grep -v “css” | grep -v jpg | grep -v less | grep -v gif | grep -v png | tail -n20

Now last-activity.txt showed exactly what i was looking for … there were files with creation time, showing footprint of hackers.

# file uploaded in tmp folder, probably using joomla security hole … as tmp is joomla’s temp folder

Mar 10 11:48 ./tmp/x.txt
Mar 20 04:16 ./tmp/up.php
Mar 20 03:33 ./tmp/abc.php
Apr 22 11:25 ./templates/ja_purity/index.php

# reverse shell console … that will execute the sh commands
Apr 30 16:45 ./templates/beez/index.php

# probably remote shell helper
May 4 07:34 ./images/logs.php

# uploaded phishing script archive
May 4 11:39 ./images/

# extracted phishing scripts
May 4 11:46 ./.scripts/index.html
May 4 11:46 ./.scripts/infobusca/index.htm
May 4 11:46 ./.scripts/cetelem/login.php

May 4 11:49 ./images/

Phishing scripts were dead evil … they were getting users input (ccard, user/pass), storing it ../.out/file.txt and emailing file content to “” … Contains cloned login pages of 12 portals (bank / credit card / other … serasaexperian, amex etc).

I’ve asked gmail security team to trace this account for investigation.

There was no extra email account, cronjob, ftp account, database found through cpanel.
I cleared that malicious content and updated hosting service to enable website again.



– Pay serious attention to security updates of installed apps (windows, joomla, wordpress … any thing)
– Don’t blindly trust on 3rd party plugin / extensions of open source tools. Do a minimal code audit if possible.
– Don’t install any thing from untrusted, warez like website, Comprehensive code audit is a must.

Google Doctype “Written by web developers, for web developers.”

I found a great online documentation available for web developers for various Javascript How-Tos.

Google Doctype “Written by web developers, for web developers.”

Main URL:

Read HOWTO articles on

Dive into DOM objects, including

Style your pages with CSS

Do you need help with an HTML element? We have an HTML reference from <a> to <xmp>.