Question
Today i've found my webserver with all files encrypted (index.php.encrypted)
There is also heavy POST and GET registries in my log. Specially from an unkown php file called POSTipport.php
Any advice would be apreciated.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Sounds like your site has been hacked. IPPort.php is a function to parse a IPaddr:Port string into is constituent IP address and port.
In some cases the perp contacts the victim demanding payment to have the site unencrypted. If they just want the site then your only recourse is to rebuild. Hope you had a backup. Also if you have access to logs you might be able to figure out how it was compromised so that any new or rebuilt site is patched.