Best way to remove Trojan / Virus?

[Sheffielder]

So I think I have a trojan virus on my site

It keeps repeatedly uploading a folder (says something about an invoice) with a php file within it

I've downloaded fresh files from here and overwritten and then ran upgrade but it still happens

What's the fastest and best way to eradicate trojan /viruses from forum software please?

[Day_]

Did you change all your control panel, FTP passwords?

[Sheffielder]

Yeah changed passwords, uploaded fresh files downloaded from here etc

 

[Adlago]

Scan your site.

https://virustotal.com/#/home/url

or

https://online.drweb.com/?url=1

This tools will find it

[Sheffielder]

Thanks

Both of those can't find it

Have run them, not found anything, yet I delete the folder that the virus keeps creating and a few minutes another one reappears

So frustrating but determined not to let it beat me!

[opentype]

Find a trusted person with more experience to check this out on your server directly. There are no general ways to solve this. You need to identify the specific problem and then follow its trail to remove it. 

I can’t even say there is a virus. A folder with a php file? That can mean anything. 

[Sheffielder]

 

So basically what happens is a folder appears in my public html folder saying 'invoice number 5507'

If I delete it - it reappears after about 15 minutes

Inside it is a PHP file

[opentype]

And what’s the code in that file? We don’t know anything about your server. Maybe there is a shopping app running somewhere that creates those files legitimately. We can’t know that. 

[Simon Woods]

What is the file called?

Any info in your ACP logs?

How do you host your site - is there a company involved and if so have you asked them?

Made any changes lately via third parties?

Using any script like advertising?

 

Seriously... self-hosting means you need to be both on top of all of this stuff AND know that you instantly provide this info when asking for help. Right now it sounds like you'd be better on CitC.

[GriefCode]

Best way: Reinstall the server (if it is a virus)

No seriously ... reinstall your server.

All the tips of finding the file and try to remove it are useless, the reason is that the hackers most likely have added backdoors to gain again access.
Save your time and the time of others by simply reinstalling the server.
Backup the media, backup the database, reinstall the server, load a fresh install package from invisionpower and import the media/database dump.

Some minor tips from just another forum user (I have learned a lot of things painfully myself over 10 years of hosting experience):

• Don't trust anyone on the internet
• Give people only the access they REALLY require, most people do not require any access.
  As example, I am the only one that can access my server infrastructure, no one else can. I am along with 1 other guy able to access the Admin CP of my forum and my mods can't even do most moderation actions.
• Set secure passwords, if you use them for ftp/ssh. The idea of having special chars or upper/lower letters is not secure, the only measure of having a secure password is the length with non dictionary words, if anyone is interested getting further into it, follow up here:
  https://blog.codinghorror.com/hacker-hack-thyself/

As last point, also if that is always a bad thing that can happen, it has a positive effect, you learn from things you have done wrong.

Greetings

[Joy Rex]

Good advice from @GriefCode, but of course, check with your hosting company first - it might be them generating an invoice for your hosting package and that's where your electronic receipts are being stored.

[Sheffielder]

 

All sorted!

Basically reinstalled the files fresh following great advice from support

[Mark Round]

This course of action is always best if your site has been compromised.Frequent backups are  a must!!!