I’m posting this because I don’t have a clue why below happened, because everything was uptodate. Maybe more people are experiencing this?
A client’s site was hacked, while everything was uptodate (including PHP versions, etc.).
Visitors get redirected to a “You Are Today’s Lucky Visitor” spam site when approaching the site through the Google Business page in the Google search results. When approaching the site via the domain name nothing was wrong (or seemed wrong).
A scan gave these results:
‘/var/www/vhosts/website.nl/httpdocs/assets/bestanden/documenten/wcynluzp.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/assets/components/gallery/connector.php’
Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
‘/var/www/vhosts/website.nl/httpdocs/assets/components/gallery/packages/hdevuurb.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/assets/components/redactor/qxtnpmwp.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/assets/components/sitedashclient/.d1caf546.ico’
Known exploit = [Fingerprint Match] [PHP Exploit [P1496]]
‘/var/www/vhosts/website.nl/httpdocs/assets/gallery/1/tabufoiv.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/core/components/captcha/lexicon/redyajmh.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/core/components/formit/test/ljrpamsk.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/core/components/gallery/index.class.php’
Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
‘/var/www/vhosts/website.nl/httpdocs/core/components/versionx/pflperjq.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
‘/var/www/vhosts/website.nl/httpdocs/core/components/wayfinder/configs/cssplay-dropdown.config.php’
Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
‘/var/www/vhosts/website.nl/httpdocs/core/components/wayfinder/configs/cssplay-flyout.config.php’
Known exploit = [Fingerprint Match] [PHP Injection Exploit [P0997]]
‘/var/www/vhosts/website.nl/httpdocs/core/docs/etlftfha.php’
Known exploit = [Fingerprint Match] [PHP Shell [P1654]]
etc.