Unexpected PHP File in Image Gallery

TL;DR

Someone uploaded a malicious PHP file to your image gallery folder. This guide helps you find it, remove it, and secure your website against future attacks.

1. Identify the Problem File

The first step is finding the rogue PHP file. It’s likely disguised as an image or other harmless-looking file but has a .php extension.

• Check Recent Files: Look at your website’s file manager (usually provided by your hosting provider) and sort files by date modified. This will bring recently uploaded files to the top.
• Look for Suspicious Extensions: Focus on files ending in .php within your image gallery directory. Common gallery folders include /wp-content/uploads/ (WordPress), /images/, or similar.
• File Size Anomalies: PHP files are typically small text files. If a file with a .php extension is unusually large compared to your images, it’s a red flag.

2. Remove the Malicious File

Once you’ve identified the file, delete it immediately.

• Using Your File Manager: Right-click on the file in your hosting provider’s file manager and select “Delete”.
• Via FTP (Advanced): Connect to your server using an FTP client (like FileZilla). Navigate to the image gallery folder and delete the file.

Important: Back up your website *before* deleting anything, just in case.

3. Scan for Further Compromises

The attacker may have uploaded other malicious files. A full scan is essential.

• Website Security Scanner: Use a reputable online website security scanner (like Sucuri SiteCheck, VirusTotal, or those offered by your hosting provider). These tools can detect malware and vulnerabilities.
• Manual File Inspection: If you’re comfortable, manually review files in core directories like /wp-admin/, /wp-includes/ (WordPress), and any custom folders for unexpected PHP code.

4. Secure Your Website

Prevent future uploads of malicious files.

• File Upload Restrictions: Configure your website or server to only allow specific file types in the image gallery (e.g., jpg, png, gif).
• WordPress Specific: If using WordPress:
  • Keep WordPress Core Updated: Regularly update WordPress itself.
  • Update Plugins and Themes: Outdated plugins and themes are a common entry point for attackers.
  • Use a Security Plugin: Install a security plugin like Wordfence or Sucuri Security to provide extra protection.
• Strong Passwords: Use strong, unique passwords for all website accounts (admin panel, FTP, database).
• Limit File Permissions: Ensure files have appropriate permissions. Generally, files should be readable by the web server but not writable unless absolutely necessary.

  chmod 644 filename.php

5. Check .htaccess (Apache) or Web.config (IIS)

Attackers sometimes modify these files to redirect traffic or execute malicious code.

• Review for Backdoors: Open your .htaccess file (if using Apache) or web.config file (if using IIS) and look for any unusual code, especially base64 encoded strings or redirects.