Question
Today i've found my webserver with all files encrypted (index.php.encrypted)
There is also heavy POST and GET registries in my log. Specially from an unkown php file called POST_ip_port.php
Any advice would be apreciated.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hello,
I’m really sorry to be the bearer of bad news. Unfortunately it sounds like your webserver was compromised and fell victim to some ransomware. If that is the case, your best bet would be to restore from one of your backups, since you won’t otherwise be able to unencrypt your files without paying the ransom.
Joomla has recently seen several security vulnerabilities and, like every web application, it is important that you keep Joomla up to date in order to prevent it from being compromised. The latest version of Joomla (as of making this post) is 3.4.8, so when you redeploy based on your backup, I highly recommend upgrading Joomla straight away.
Best, Eris Platform Support Specialist
Sounds like your site has been hacked. IPPort.php is a function to parse a IPaddr:Port string into is constituent IP address and port.
In some cases the perp contacts the victim demanding payment to have the site unencrypted. If they just want the site then your only recourse is to rebuild. Hope you had a backup. Also if you have access to logs you might be able to figure out how it was compromised so that any new or rebuilt site is patched.